1 /* 2 * Copyright (C) 2010 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 /* TO DO: 18 * 1. Perhaps keep several copies of the encrypted key, in case something 19 * goes horribly wrong? 20 * 21 */ 22 23 #include <sys/types.h> 24 #include <sys/wait.h> 25 #include <sys/stat.h> 26 #include <ctype.h> 27 #include <fcntl.h> 28 #include <inttypes.h> 29 #include <unistd.h> 30 #include <stdio.h> 31 #include <sys/ioctl.h> 32 #include <linux/dm-ioctl.h> 33 #include <libgen.h> 34 #include <stdlib.h> 35 #include <sys/param.h> 36 #include <string.h> 37 #include <sys/mount.h> 38 #include <openssl/evp.h> 39 #include <openssl/sha.h> 40 #include <errno.h> 41 #include <ext4_utils/ext4.h> 42 #include <ext4_utils/ext4_utils.h> 43 #include <linux/kdev_t.h> 44 #include <fs_mgr.h> 45 #include <time.h> 46 #include <math.h> 47 #include <selinux/selinux.h> 48 #include "cryptfs.h" 49 #include "secontext.h" 50 #define LOG_TAG "Cryptfs" 51 #include "cutils/log.h" 52 #include "cutils/properties.h" 53 #include "cutils/android_reboot.h" 54 #include "hardware_legacy/power.h" 55 #include <logwrap/logwrap.h> 56 #include "ScryptParameters.h" 57 #include "VolumeManager.h" 58 #include "VoldUtil.h" 59 #include "Ext4Crypt.h" 60 #include "f2fs_sparseblock.h" 61 #include "CheckBattery.h" 62 #include "Process.h" 63 #include "Keymaster.h" 64 #include "android-base/properties.h" 65 #include <bootloader_message/bootloader_message.h> 66 extern "C" { 67 #include <crypto_scrypt.h> 68 } 69 70 #define UNUSED __attribute__((unused)) 71 72 #define DM_CRYPT_BUF_SIZE 4096 73 74 #define HASH_COUNT 2000 75 #define KEY_LEN_BYTES 16 76 #define IV_LEN_BYTES 16 77 78 #define KEY_IN_FOOTER "footer" 79 80 #define DEFAULT_PASSWORD "default_password" 81 82 #define CRYPTO_BLOCK_DEVICE "userdata" 83 84 #define BREADCRUMB_FILE "/data/misc/vold/convert_fde" 85 86 #define EXT4_FS 1 87 #define F2FS_FS 2 88 89 #define TABLE_LOAD_RETRIES 10 90 91 #define RSA_KEY_SIZE 2048 92 #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8) 93 #define RSA_EXPONENT 0x10001 94 #define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second 95 96 #define RETRY_MOUNT_ATTEMPTS 10 97 #define RETRY_MOUNT_DELAY_SECONDS 1 98 99 static unsigned char saved_master_key[KEY_LEN_BYTES]; 100 static char *saved_mount_point; 101 static int master_key_saved = 0; 102 static struct crypt_persist_data *persist_data = NULL; 103 104 /* Should we use keymaster? */ 105 static int keymaster_check_compatibility() 106 { 107 return keymaster_compatibility_cryptfs_scrypt(); 108 } 109 110 /* Create a new keymaster key and store it in this footer */ 111 static int keymaster_create_key(struct crypt_mnt_ftr *ftr) 112 { 113 if (ftr->keymaster_blob_size) { 114 SLOGI("Already have key"); 115 return 0; 116 } 117 118 int rc = keymaster_create_key_for_cryptfs_scrypt(RSA_KEY_SIZE, RSA_EXPONENT, 119 KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob, KEYMASTER_BLOB_SIZE, 120 &ftr->keymaster_blob_size); 121 if (rc) { 122 if (ftr->keymaster_blob_size > KEYMASTER_BLOB_SIZE) { 123 SLOGE("Keymaster key blob to large)"); 124 ftr->keymaster_blob_size = 0; 125 } 126 SLOGE("Failed to generate keypair"); 127 return -1; 128 } 129 return 0; 130 } 131 132 /* This signs the given object using the keymaster key. */ 133 static int keymaster_sign_object(struct crypt_mnt_ftr *ftr, 134 const unsigned char *object, 135 const size_t object_size, 136 unsigned char **signature, 137 size_t *signature_size) 138 { 139 unsigned char to_sign[RSA_KEY_SIZE_BYTES]; 140 size_t to_sign_size = sizeof(to_sign); 141 memset(to_sign, 0, RSA_KEY_SIZE_BYTES); 142 143 // To sign a message with RSA, the message must satisfy two 144 // constraints: 145 // 146 // 1. The message, when interpreted as a big-endian numeric value, must 147 // be strictly less than the public modulus of the RSA key. Note 148 // that because the most significant bit of the public modulus is 149 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit 150 // key), an n-bit message with most significant bit 0 always 151 // satisfies this requirement. 152 // 153 // 2. The message must have the same length in bits as the public 154 // modulus of the RSA key. This requirement isn't mathematically 155 // necessary, but is necessary to ensure consistency in 156 // implementations. 157 switch (ftr->kdf_type) { 158 case KDF_SCRYPT_KEYMASTER: 159 // This ensures the most significant byte of the signed message 160 // is zero. We could have zero-padded to the left instead, but 161 // this approach is slightly more robust against changes in 162 // object size. However, it's still broken (but not unusably 163 // so) because we really should be using a proper deterministic 164 // RSA padding function, such as PKCS1. 165 memcpy(to_sign + 1, object, std::min((size_t)RSA_KEY_SIZE_BYTES - 1, object_size)); 166 SLOGI("Signing safely-padded object"); 167 break; 168 default: 169 SLOGE("Unknown KDF type %d", ftr->kdf_type); 170 return -1; 171 } 172 return keymaster_sign_object_for_cryptfs_scrypt(ftr->keymaster_blob, ftr->keymaster_blob_size, 173 KEYMASTER_CRYPTFS_RATE_LIMIT, to_sign, to_sign_size, signature, signature_size); 174 } 175 176 /* Store password when userdata is successfully decrypted and mounted. 177 * Cleared by cryptfs_clear_password 178 * 179 * To avoid a double prompt at boot, we need to store the CryptKeeper 180 * password and pass it to KeyGuard, which uses it to unlock KeyStore. 181 * Since the entire framework is torn down and rebuilt after encryption, 182 * we have to use a daemon or similar to store the password. Since vold 183 * is secured against IPC except from system processes, it seems a reasonable 184 * place to store this. 185 * 186 * password should be cleared once it has been used. 187 * 188 * password is aged out after password_max_age_seconds seconds. 189 */ 190 static char* password = 0; 191 static int password_expiry_time = 0; 192 static const int password_max_age_seconds = 60; 193 194 extern struct fstab *fstab; 195 196 enum RebootType {reboot, recovery, shutdown}; 197 static void cryptfs_reboot(enum RebootType rt) 198 { 199 switch(rt) { 200 case reboot: 201 property_set(ANDROID_RB_PROPERTY, "reboot"); 202 break; 203 204 case recovery: 205 property_set(ANDROID_RB_PROPERTY, "reboot,recovery"); 206 break; 207 208 case shutdown: 209 property_set(ANDROID_RB_PROPERTY, "shutdown"); 210 break; 211 } 212 213 sleep(20); 214 215 /* Shouldn't get here, reboot should happen before sleep times out */ 216 return; 217 } 218 219 static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags) 220 { 221 memset(io, 0, dataSize); 222 io->data_size = dataSize; 223 io->data_start = sizeof(struct dm_ioctl); 224 io->version[0] = 4; 225 io->version[1] = 0; 226 io->version[2] = 0; 227 io->flags = flags; 228 if (name) { 229 strlcpy(io->name, name, sizeof(io->name)); 230 } 231 } 232 233 /** 234 * Gets the default device scrypt parameters for key derivation time tuning. 235 * The parameters should lead to about one second derivation time for the 236 * given device. 237 */ 238 static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) { 239 char paramstr[PROPERTY_VALUE_MAX]; 240 int Nf, rf, pf; 241 242 property_get(SCRYPT_PROP, paramstr, SCRYPT_DEFAULTS); 243 if (!parse_scrypt_parameters(paramstr, &Nf, &rf, &pf)) { 244 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr); 245 parse_scrypt_parameters(SCRYPT_DEFAULTS, &Nf, &rf, &pf); 246 } 247 ftr->N_factor = Nf; 248 ftr->r_factor = rf; 249 ftr->p_factor = pf; 250 } 251 252 static unsigned int get_fs_size(char *dev) 253 { 254 int fd, block_size; 255 struct ext4_super_block sb; 256 off64_t len; 257 258 if ((fd = open(dev, O_RDONLY|O_CLOEXEC)) < 0) { 259 SLOGE("Cannot open device to get filesystem size "); 260 return 0; 261 } 262 263 if (lseek64(fd, 1024, SEEK_SET) < 0) { 264 SLOGE("Cannot seek to superblock"); 265 return 0; 266 } 267 268 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) { 269 SLOGE("Cannot read superblock"); 270 return 0; 271 } 272 273 close(fd); 274 275 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) { 276 SLOGE("Not a valid ext4 superblock"); 277 return 0; 278 } 279 block_size = 1024 << sb.s_log_block_size; 280 /* compute length in bytes */ 281 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size; 282 283 /* return length in sectors */ 284 return (unsigned int) (len / 512); 285 } 286 287 static int get_crypt_ftr_info(char **metadata_fname, off64_t *off) 288 { 289 static int cached_data = 0; 290 static off64_t cached_off = 0; 291 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = ""; 292 int fd; 293 char key_loc[PROPERTY_VALUE_MAX]; 294 char real_blkdev[PROPERTY_VALUE_MAX]; 295 int rc = -1; 296 297 if (!cached_data) { 298 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc)); 299 300 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 301 if ( (fd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) { 302 SLOGE("Cannot open real block device %s\n", real_blkdev); 303 return -1; 304 } 305 306 unsigned long nr_sec = 0; 307 get_blkdev_size(fd, &nr_sec); 308 if (nr_sec != 0) { 309 /* If it's an encrypted Android partition, the last 16 Kbytes contain the 310 * encryption info footer and key, and plenty of bytes to spare for future 311 * growth. 312 */ 313 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname)); 314 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET; 315 cached_data = 1; 316 } else { 317 SLOGE("Cannot get size of block device %s\n", real_blkdev); 318 } 319 close(fd); 320 } else { 321 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname)); 322 cached_off = 0; 323 cached_data = 1; 324 } 325 } 326 327 if (cached_data) { 328 if (metadata_fname) { 329 *metadata_fname = cached_metadata_fname; 330 } 331 if (off) { 332 *off = cached_off; 333 } 334 rc = 0; 335 } 336 337 return rc; 338 } 339 340 /* Set sha256 checksum in structure */ 341 static void set_ftr_sha(struct crypt_mnt_ftr *crypt_ftr) 342 { 343 SHA256_CTX c; 344 SHA256_Init(&c); 345 memset(crypt_ftr->sha256, 0, sizeof(crypt_ftr->sha256)); 346 SHA256_Update(&c, crypt_ftr, sizeof(*crypt_ftr)); 347 SHA256_Final(crypt_ftr->sha256, &c); 348 } 349 350 /* key or salt can be NULL, in which case just skip writing that value. Useful to 351 * update the failed mount count but not change the key. 352 */ 353 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 354 { 355 int fd; 356 unsigned int cnt; 357 /* starting_off is set to the SEEK_SET offset 358 * where the crypto structure starts 359 */ 360 off64_t starting_off; 361 int rc = -1; 362 char *fname = NULL; 363 struct stat statbuf; 364 365 set_ftr_sha(crypt_ftr); 366 367 if (get_crypt_ftr_info(&fname, &starting_off)) { 368 SLOGE("Unable to get crypt_ftr_info\n"); 369 return -1; 370 } 371 if (fname[0] != '/') { 372 SLOGE("Unexpected value for crypto key location\n"); 373 return -1; 374 } 375 if ( (fd = open(fname, O_RDWR | O_CREAT|O_CLOEXEC, 0600)) < 0) { 376 SLOGE("Cannot open footer file %s for put\n", fname); 377 return -1; 378 } 379 380 /* Seek to the start of the crypt footer */ 381 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 382 SLOGE("Cannot seek to real block device footer\n"); 383 goto errout; 384 } 385 386 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 387 SLOGE("Cannot write real block device footer\n"); 388 goto errout; 389 } 390 391 fstat(fd, &statbuf); 392 /* If the keys are kept on a raw block device, do not try to truncate it. */ 393 if (S_ISREG(statbuf.st_mode)) { 394 if (ftruncate(fd, 0x4000)) { 395 SLOGE("Cannot set footer file size\n"); 396 goto errout; 397 } 398 } 399 400 /* Success! */ 401 rc = 0; 402 403 errout: 404 close(fd); 405 return rc; 406 407 } 408 409 static bool check_ftr_sha(const struct crypt_mnt_ftr *crypt_ftr) 410 { 411 struct crypt_mnt_ftr copy; 412 memcpy(©, crypt_ftr, sizeof(copy)); 413 set_ftr_sha(©); 414 return memcmp(copy.sha256, crypt_ftr->sha256, sizeof(copy.sha256)) == 0; 415 } 416 417 static inline int unix_read(int fd, void* buff, int len) 418 { 419 return TEMP_FAILURE_RETRY(read(fd, buff, len)); 420 } 421 422 static inline int unix_write(int fd, const void* buff, int len) 423 { 424 return TEMP_FAILURE_RETRY(write(fd, buff, len)); 425 } 426 427 static void init_empty_persist_data(struct crypt_persist_data *pdata, int len) 428 { 429 memset(pdata, 0, len); 430 pdata->persist_magic = PERSIST_DATA_MAGIC; 431 pdata->persist_valid_entries = 0; 432 } 433 434 /* A routine to update the passed in crypt_ftr to the lastest version. 435 * fd is open read/write on the device that holds the crypto footer and persistent 436 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the 437 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd. 438 */ 439 static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset) 440 { 441 int orig_major = crypt_ftr->major_version; 442 int orig_minor = crypt_ftr->minor_version; 443 444 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) { 445 struct crypt_persist_data *pdata; 446 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET; 447 448 SLOGW("upgrading crypto footer to 1.1"); 449 450 pdata = (crypt_persist_data *)malloc(CRYPT_PERSIST_DATA_SIZE); 451 if (pdata == NULL) { 452 SLOGE("Cannot allocate persisent data\n"); 453 return; 454 } 455 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE); 456 457 /* Need to initialize the persistent data area */ 458 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) { 459 SLOGE("Cannot seek to persisent data offset\n"); 460 free(pdata); 461 return; 462 } 463 /* Write all zeros to the first copy, making it invalid */ 464 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 465 466 /* Write a valid but empty structure to the second copy */ 467 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 468 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 469 470 /* Update the footer */ 471 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 472 crypt_ftr->persist_data_offset[0] = pdata_offset; 473 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE; 474 crypt_ftr->minor_version = 1; 475 free(pdata); 476 } 477 478 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) { 479 SLOGW("upgrading crypto footer to 1.2"); 480 /* But keep the old kdf_type. 481 * It will get updated later to KDF_SCRYPT after the password has been verified. 482 */ 483 crypt_ftr->kdf_type = KDF_PBKDF2; 484 get_device_scrypt_params(crypt_ftr); 485 crypt_ftr->minor_version = 2; 486 } 487 488 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) { 489 SLOGW("upgrading crypto footer to 1.3"); 490 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD; 491 crypt_ftr->minor_version = 3; 492 } 493 494 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) { 495 if (lseek64(fd, offset, SEEK_SET) == -1) { 496 SLOGE("Cannot seek to crypt footer\n"); 497 return; 498 } 499 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr)); 500 } 501 } 502 503 504 static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 505 { 506 int fd; 507 unsigned int cnt; 508 off64_t starting_off; 509 int rc = -1; 510 char *fname = NULL; 511 struct stat statbuf; 512 513 if (get_crypt_ftr_info(&fname, &starting_off)) { 514 SLOGE("Unable to get crypt_ftr_info\n"); 515 return -1; 516 } 517 if (fname[0] != '/') { 518 SLOGE("Unexpected value for crypto key location\n"); 519 return -1; 520 } 521 if ( (fd = open(fname, O_RDWR|O_CLOEXEC)) < 0) { 522 SLOGE("Cannot open footer file %s for get\n", fname); 523 return -1; 524 } 525 526 /* Make sure it's 16 Kbytes in length */ 527 fstat(fd, &statbuf); 528 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) { 529 SLOGE("footer file %s is not the expected size!\n", fname); 530 goto errout; 531 } 532 533 /* Seek to the start of the crypt footer */ 534 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 535 SLOGE("Cannot seek to real block device footer\n"); 536 goto errout; 537 } 538 539 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 540 SLOGE("Cannot read real block device footer\n"); 541 goto errout; 542 } 543 544 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) { 545 SLOGE("Bad magic for real block device %s\n", fname); 546 goto errout; 547 } 548 549 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) { 550 SLOGE("Cannot understand major version %d real block device footer; expected %d\n", 551 crypt_ftr->major_version, CURRENT_MAJOR_VERSION); 552 goto errout; 553 } 554 555 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) { 556 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n", 557 crypt_ftr->minor_version, CURRENT_MINOR_VERSION); 558 } 559 560 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the 561 * copy on disk before returning. 562 */ 563 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) { 564 upgrade_crypt_ftr(fd, crypt_ftr, starting_off); 565 } 566 567 /* Success! */ 568 rc = 0; 569 570 errout: 571 close(fd); 572 return rc; 573 } 574 575 static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr) 576 { 577 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size > 578 crypt_ftr->persist_data_offset[1]) { 579 SLOGE("Crypt_ftr persist data regions overlap"); 580 return -1; 581 } 582 583 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) { 584 SLOGE("Crypt_ftr persist data region 0 starts after region 1"); 585 return -1; 586 } 587 588 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) - 589 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) > 590 CRYPT_FOOTER_OFFSET) { 591 SLOGE("Persistent data extends past crypto footer"); 592 return -1; 593 } 594 595 return 0; 596 } 597 598 static int load_persistent_data(void) 599 { 600 struct crypt_mnt_ftr crypt_ftr; 601 struct crypt_persist_data *pdata = NULL; 602 char encrypted_state[PROPERTY_VALUE_MAX]; 603 char *fname; 604 int found = 0; 605 int fd; 606 int ret; 607 int i; 608 609 if (persist_data) { 610 /* Nothing to do, we've already loaded or initialized it */ 611 return 0; 612 } 613 614 615 /* If not encrypted, just allocate an empty table and initialize it */ 616 property_get("ro.crypto.state", encrypted_state, ""); 617 if (strcmp(encrypted_state, "encrypted") ) { 618 pdata = (crypt_persist_data*)malloc(CRYPT_PERSIST_DATA_SIZE); 619 if (pdata) { 620 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 621 persist_data = pdata; 622 return 0; 623 } 624 return -1; 625 } 626 627 if(get_crypt_ftr_and_key(&crypt_ftr)) { 628 return -1; 629 } 630 631 if ((crypt_ftr.major_version < 1) 632 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 633 SLOGE("Crypt_ftr version doesn't support persistent data"); 634 return -1; 635 } 636 637 if (get_crypt_ftr_info(&fname, NULL)) { 638 return -1; 639 } 640 641 ret = validate_persistent_data_storage(&crypt_ftr); 642 if (ret) { 643 return -1; 644 } 645 646 fd = open(fname, O_RDONLY|O_CLOEXEC); 647 if (fd < 0) { 648 SLOGE("Cannot open %s metadata file", fname); 649 return -1; 650 } 651 652 pdata = (crypt_persist_data*)malloc(crypt_ftr.persist_data_size); 653 if (pdata == NULL) { 654 SLOGE("Cannot allocate memory for persistent data"); 655 goto err; 656 } 657 658 for (i = 0; i < 2; i++) { 659 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) { 660 SLOGE("Cannot seek to read persistent data on %s", fname); 661 goto err2; 662 } 663 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){ 664 SLOGE("Error reading persistent data on iteration %d", i); 665 goto err2; 666 } 667 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 668 found = 1; 669 break; 670 } 671 } 672 673 if (!found) { 674 SLOGI("Could not find valid persistent data, creating"); 675 init_empty_persist_data(pdata, crypt_ftr.persist_data_size); 676 } 677 678 /* Success */ 679 persist_data = pdata; 680 close(fd); 681 return 0; 682 683 err2: 684 free(pdata); 685 686 err: 687 close(fd); 688 return -1; 689 } 690 691 static int save_persistent_data(void) 692 { 693 struct crypt_mnt_ftr crypt_ftr; 694 struct crypt_persist_data *pdata; 695 char *fname; 696 off64_t write_offset; 697 off64_t erase_offset; 698 int fd; 699 int ret; 700 701 if (persist_data == NULL) { 702 SLOGE("No persistent data to save"); 703 return -1; 704 } 705 706 if(get_crypt_ftr_and_key(&crypt_ftr)) { 707 return -1; 708 } 709 710 if ((crypt_ftr.major_version < 1) 711 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 712 SLOGE("Crypt_ftr version doesn't support persistent data"); 713 return -1; 714 } 715 716 ret = validate_persistent_data_storage(&crypt_ftr); 717 if (ret) { 718 return -1; 719 } 720 721 if (get_crypt_ftr_info(&fname, NULL)) { 722 return -1; 723 } 724 725 fd = open(fname, O_RDWR|O_CLOEXEC); 726 if (fd < 0) { 727 SLOGE("Cannot open %s metadata file", fname); 728 return -1; 729 } 730 731 pdata = (crypt_persist_data*)malloc(crypt_ftr.persist_data_size); 732 if (pdata == NULL) { 733 SLOGE("Cannot allocate persistant data"); 734 goto err; 735 } 736 737 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) { 738 SLOGE("Cannot seek to read persistent data on %s", fname); 739 goto err2; 740 } 741 742 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) { 743 SLOGE("Error reading persistent data before save"); 744 goto err2; 745 } 746 747 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 748 /* The first copy is the curent valid copy, so write to 749 * the second copy and erase this one */ 750 write_offset = crypt_ftr.persist_data_offset[1]; 751 erase_offset = crypt_ftr.persist_data_offset[0]; 752 } else { 753 /* The second copy must be the valid copy, so write to 754 * the first copy, and erase the second */ 755 write_offset = crypt_ftr.persist_data_offset[0]; 756 erase_offset = crypt_ftr.persist_data_offset[1]; 757 } 758 759 /* Write the new copy first, if successful, then erase the old copy */ 760 if (lseek64(fd, write_offset, SEEK_SET) < 0) { 761 SLOGE("Cannot seek to write persistent data"); 762 goto err2; 763 } 764 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) == 765 (int) crypt_ftr.persist_data_size) { 766 if (lseek64(fd, erase_offset, SEEK_SET) < 0) { 767 SLOGE("Cannot seek to erase previous persistent data"); 768 goto err2; 769 } 770 fsync(fd); 771 memset(pdata, 0, crypt_ftr.persist_data_size); 772 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) != 773 (int) crypt_ftr.persist_data_size) { 774 SLOGE("Cannot write to erase previous persistent data"); 775 goto err2; 776 } 777 fsync(fd); 778 } else { 779 SLOGE("Cannot write to save persistent data"); 780 goto err2; 781 } 782 783 /* Success */ 784 free(pdata); 785 close(fd); 786 return 0; 787 788 err2: 789 free(pdata); 790 err: 791 close(fd); 792 return -1; 793 } 794 795 /* Convert a binary key of specified length into an ascii hex string equivalent, 796 * without the leading 0x and with null termination 797 */ 798 static void convert_key_to_hex_ascii(const unsigned char *master_key, 799 unsigned int keysize, char *master_key_ascii) { 800 unsigned int i, a; 801 unsigned char nibble; 802 803 for (i=0, a=0; i<keysize; i++, a+=2) { 804 /* For each byte, write out two ascii hex digits */ 805 nibble = (master_key[i] >> 4) & 0xf; 806 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30); 807 808 nibble = master_key[i] & 0xf; 809 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30); 810 } 811 812 /* Add the null termination */ 813 master_key_ascii[a] = '\0'; 814 815 } 816 817 static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, 818 const unsigned char *master_key, const char *real_blk_name, 819 const char *name, int fd, const char *extra_params) { 820 alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE]; 821 struct dm_ioctl *io; 822 struct dm_target_spec *tgt; 823 char *crypt_params; 824 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */ 825 size_t buff_offset; 826 int i; 827 828 io = (struct dm_ioctl *) buffer; 829 830 /* Load the mapping table for this device */ 831 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)]; 832 833 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 834 io->target_count = 1; 835 tgt->status = 0; 836 tgt->sector_start = 0; 837 tgt->length = crypt_ftr->fs_size; 838 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME); 839 840 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec); 841 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii); 842 843 buff_offset = crypt_params - buffer; 844 snprintf(crypt_params, sizeof(buffer) - buff_offset, "%s %s 0 %s 0 %s", 845 crypt_ftr->crypto_type_name, master_key_ascii, real_blk_name, 846 extra_params); 847 crypt_params += strlen(crypt_params) + 1; 848 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */ 849 tgt->next = crypt_params - buffer; 850 851 for (i = 0; i < TABLE_LOAD_RETRIES; i++) { 852 if (! ioctl(fd, DM_TABLE_LOAD, io)) { 853 break; 854 } 855 usleep(500000); 856 } 857 858 if (i == TABLE_LOAD_RETRIES) { 859 /* We failed to load the table, return an error */ 860 return -1; 861 } else { 862 return i + 1; 863 } 864 } 865 866 867 static int get_dm_crypt_version(int fd, const char *name, int *version) 868 { 869 char buffer[DM_CRYPT_BUF_SIZE]; 870 struct dm_ioctl *io; 871 struct dm_target_versions *v; 872 873 io = (struct dm_ioctl *) buffer; 874 875 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 876 877 if (ioctl(fd, DM_LIST_VERSIONS, io)) { 878 return -1; 879 } 880 881 /* Iterate over the returned versions, looking for name of "crypt". 882 * When found, get and return the version. 883 */ 884 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)]; 885 while (v->next) { 886 if (! strcmp(v->name, "crypt")) { 887 /* We found the crypt driver, return the version, and get out */ 888 version[0] = v->version[0]; 889 version[1] = v->version[1]; 890 version[2] = v->version[2]; 891 return 0; 892 } 893 v = (struct dm_target_versions *)(((char *)v) + v->next); 894 } 895 896 return -1; 897 } 898 899 static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr, 900 const unsigned char *master_key, const char *real_blk_name, 901 char *crypto_blk_name, const char *name) { 902 char buffer[DM_CRYPT_BUF_SIZE]; 903 struct dm_ioctl *io; 904 unsigned int minor; 905 int fd=0; 906 int err; 907 int retval = -1; 908 int version[3]; 909 const char *extra_params; 910 int load_count; 911 912 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) { 913 SLOGE("Cannot open device-mapper\n"); 914 goto errout; 915 } 916 917 io = (struct dm_ioctl *) buffer; 918 919 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 920 err = ioctl(fd, DM_DEV_CREATE, io); 921 if (err) { 922 SLOGE("Cannot create dm-crypt device %s: %s\n", name, strerror(errno)); 923 goto errout; 924 } 925 926 /* Get the device status, in particular, the name of it's device file */ 927 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 928 if (ioctl(fd, DM_DEV_STATUS, io)) { 929 SLOGE("Cannot retrieve dm-crypt device status\n"); 930 goto errout; 931 } 932 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00); 933 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor); 934 935 extra_params = ""; 936 if (! get_dm_crypt_version(fd, name, version)) { 937 /* Support for allow_discards was added in version 1.11.0 */ 938 if ((version[0] >= 2) || 939 ((version[0] == 1) && (version[1] >= 11))) { 940 extra_params = "1 allow_discards"; 941 SLOGI("Enabling support for allow_discards in dmcrypt.\n"); 942 } 943 } 944 945 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, 946 fd, extra_params); 947 if (load_count < 0) { 948 SLOGE("Cannot load dm-crypt mapping table.\n"); 949 goto errout; 950 } else if (load_count > 1) { 951 SLOGI("Took %d tries to load dmcrypt table.\n", load_count); 952 } 953 954 /* Resume this device to activate it */ 955 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 956 957 if (ioctl(fd, DM_DEV_SUSPEND, io)) { 958 SLOGE("Cannot resume the dm-crypt device\n"); 959 goto errout; 960 } 961 962 /* We made it here with no errors. Woot! */ 963 retval = 0; 964 965 errout: 966 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 967 968 return retval; 969 } 970 971 static int delete_crypto_blk_dev(const char *name) 972 { 973 int fd; 974 char buffer[DM_CRYPT_BUF_SIZE]; 975 struct dm_ioctl *io; 976 int retval = -1; 977 978 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) { 979 SLOGE("Cannot open device-mapper\n"); 980 goto errout; 981 } 982 983 io = (struct dm_ioctl *) buffer; 984 985 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 986 if (ioctl(fd, DM_DEV_REMOVE, io)) { 987 SLOGE("Cannot remove dm-crypt device\n"); 988 goto errout; 989 } 990 991 /* We made it here with no errors. Woot! */ 992 retval = 0; 993 994 errout: 995 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 996 997 return retval; 998 999 } 1000 1001 static int pbkdf2(const char *passwd, const unsigned char *salt, 1002 unsigned char *ikey, void *params UNUSED) 1003 { 1004 SLOGI("Using pbkdf2 for cryptfs KDF"); 1005 1006 /* Turn the password into a key and IV that can decrypt the master key */ 1007 return PKCS5_PBKDF2_HMAC_SHA1(passwd, strlen(passwd), salt, SALT_LEN, 1008 HASH_COUNT, KEY_LEN_BYTES + IV_LEN_BYTES, 1009 ikey) != 1; 1010 } 1011 1012 static int scrypt(const char *passwd, const unsigned char *salt, 1013 unsigned char *ikey, void *params) 1014 { 1015 SLOGI("Using scrypt for cryptfs KDF"); 1016 1017 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1018 1019 int N = 1 << ftr->N_factor; 1020 int r = 1 << ftr->r_factor; 1021 int p = 1 << ftr->p_factor; 1022 1023 /* Turn the password into a key and IV that can decrypt the master key */ 1024 unsigned int keysize; 1025 crypto_scrypt((const uint8_t*)passwd, strlen(passwd), 1026 salt, SALT_LEN, N, r, p, ikey, 1027 KEY_LEN_BYTES + IV_LEN_BYTES); 1028 1029 return 0; 1030 } 1031 1032 static int scrypt_keymaster(const char *passwd, const unsigned char *salt, 1033 unsigned char *ikey, void *params) 1034 { 1035 SLOGI("Using scrypt with keymaster for cryptfs KDF"); 1036 1037 int rc; 1038 size_t signature_size; 1039 unsigned char* signature; 1040 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1041 1042 int N = 1 << ftr->N_factor; 1043 int r = 1 << ftr->r_factor; 1044 int p = 1 << ftr->p_factor; 1045 1046 rc = crypto_scrypt((const uint8_t*)passwd, strlen(passwd), 1047 salt, SALT_LEN, N, r, p, ikey, 1048 KEY_LEN_BYTES + IV_LEN_BYTES); 1049 1050 if (rc) { 1051 SLOGE("scrypt failed"); 1052 return -1; 1053 } 1054 1055 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES, 1056 &signature, &signature_size)) { 1057 SLOGE("Signing failed"); 1058 return -1; 1059 } 1060 1061 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN, 1062 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1063 free(signature); 1064 1065 if (rc) { 1066 SLOGE("scrypt failed"); 1067 return -1; 1068 } 1069 1070 return 0; 1071 } 1072 1073 static int encrypt_master_key(const char *passwd, const unsigned char *salt, 1074 const unsigned char *decrypted_master_key, 1075 unsigned char *encrypted_master_key, 1076 struct crypt_mnt_ftr *crypt_ftr) 1077 { 1078 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1079 EVP_CIPHER_CTX e_ctx; 1080 int encrypted_len, final_len; 1081 int rc = 0; 1082 1083 /* Turn the password into an intermediate key and IV that can decrypt the master key */ 1084 get_device_scrypt_params(crypt_ftr); 1085 1086 switch (crypt_ftr->kdf_type) { 1087 case KDF_SCRYPT_KEYMASTER: 1088 if (keymaster_create_key(crypt_ftr)) { 1089 SLOGE("keymaster_create_key failed"); 1090 return -1; 1091 } 1092 1093 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) { 1094 SLOGE("scrypt failed"); 1095 return -1; 1096 } 1097 break; 1098 1099 case KDF_SCRYPT: 1100 if (scrypt(passwd, salt, ikey, crypt_ftr)) { 1101 SLOGE("scrypt failed"); 1102 return -1; 1103 } 1104 break; 1105 1106 default: 1107 SLOGE("Invalid kdf_type"); 1108 return -1; 1109 } 1110 1111 /* Initialize the decryption engine */ 1112 EVP_CIPHER_CTX_init(&e_ctx); 1113 if (! EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) { 1114 SLOGE("EVP_EncryptInit failed\n"); 1115 return -1; 1116 } 1117 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */ 1118 1119 /* Encrypt the master key */ 1120 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len, 1121 decrypted_master_key, KEY_LEN_BYTES)) { 1122 SLOGE("EVP_EncryptUpdate failed\n"); 1123 return -1; 1124 } 1125 if (! EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) { 1126 SLOGE("EVP_EncryptFinal failed\n"); 1127 return -1; 1128 } 1129 1130 if (encrypted_len + final_len != KEY_LEN_BYTES) { 1131 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len); 1132 return -1; 1133 } 1134 1135 /* Store the scrypt of the intermediate key, so we can validate if it's a 1136 password error or mount error when things go wrong. 1137 Note there's no need to check for errors, since if this is incorrect, we 1138 simply won't wipe userdata, which is the correct default behavior 1139 */ 1140 int N = 1 << crypt_ftr->N_factor; 1141 int r = 1 << crypt_ftr->r_factor; 1142 int p = 1 << crypt_ftr->p_factor; 1143 1144 rc = crypto_scrypt(ikey, KEY_LEN_BYTES, 1145 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p, 1146 crypt_ftr->scrypted_intermediate_key, 1147 sizeof(crypt_ftr->scrypted_intermediate_key)); 1148 1149 if (rc) { 1150 SLOGE("encrypt_master_key: crypto_scrypt failed"); 1151 } 1152 1153 EVP_CIPHER_CTX_cleanup(&e_ctx); 1154 1155 return 0; 1156 } 1157 1158 static int decrypt_master_key_aux(const char *passwd, unsigned char *salt, 1159 unsigned char *encrypted_master_key, 1160 unsigned char *decrypted_master_key, 1161 kdf_func kdf, void *kdf_params, 1162 unsigned char** intermediate_key, 1163 size_t* intermediate_key_size) 1164 { 1165 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1166 EVP_CIPHER_CTX d_ctx; 1167 int decrypted_len, final_len; 1168 1169 /* Turn the password into an intermediate key and IV that can decrypt the 1170 master key */ 1171 if (kdf(passwd, salt, ikey, kdf_params)) { 1172 SLOGE("kdf failed"); 1173 return -1; 1174 } 1175 1176 /* Initialize the decryption engine */ 1177 EVP_CIPHER_CTX_init(&d_ctx); 1178 if (! EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) { 1179 return -1; 1180 } 1181 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */ 1182 /* Decrypt the master key */ 1183 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len, 1184 encrypted_master_key, KEY_LEN_BYTES)) { 1185 return -1; 1186 } 1187 if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) { 1188 return -1; 1189 } 1190 1191 if (decrypted_len + final_len != KEY_LEN_BYTES) { 1192 return -1; 1193 } 1194 1195 /* Copy intermediate key if needed by params */ 1196 if (intermediate_key && intermediate_key_size) { 1197 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES); 1198 if (*intermediate_key) { 1199 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES); 1200 *intermediate_key_size = KEY_LEN_BYTES; 1201 } 1202 } 1203 1204 EVP_CIPHER_CTX_cleanup(&d_ctx); 1205 1206 return 0; 1207 } 1208 1209 static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params) 1210 { 1211 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1212 *kdf = scrypt_keymaster; 1213 *kdf_params = ftr; 1214 } else if (ftr->kdf_type == KDF_SCRYPT) { 1215 *kdf = scrypt; 1216 *kdf_params = ftr; 1217 } else { 1218 *kdf = pbkdf2; 1219 *kdf_params = NULL; 1220 } 1221 } 1222 1223 static int decrypt_master_key(const char *passwd, unsigned char *decrypted_master_key, 1224 struct crypt_mnt_ftr *crypt_ftr, 1225 unsigned char** intermediate_key, 1226 size_t* intermediate_key_size) 1227 { 1228 kdf_func kdf; 1229 void *kdf_params; 1230 int ret; 1231 1232 get_kdf_func(crypt_ftr, &kdf, &kdf_params); 1233 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key, 1234 decrypted_master_key, kdf, kdf_params, 1235 intermediate_key, intermediate_key_size); 1236 if (ret != 0) { 1237 SLOGW("failure decrypting master key"); 1238 } 1239 1240 return ret; 1241 } 1242 1243 static int create_encrypted_random_key(const char *passwd, unsigned char *master_key, unsigned char *salt, 1244 struct crypt_mnt_ftr *crypt_ftr) { 1245 int fd; 1246 unsigned char key_buf[KEY_LEN_BYTES]; 1247 1248 /* Get some random bits for a key */ 1249 fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC); 1250 read(fd, key_buf, sizeof(key_buf)); 1251 read(fd, salt, SALT_LEN); 1252 close(fd); 1253 1254 /* Now encrypt it with the password */ 1255 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr); 1256 } 1257 1258 int wait_and_unmount(const char *mountpoint, bool kill) 1259 { 1260 int i, err, rc; 1261 #define WAIT_UNMOUNT_COUNT 20 1262 1263 /* Now umount the tmpfs filesystem */ 1264 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) { 1265 if (umount(mountpoint) == 0) { 1266 break; 1267 } 1268 1269 if (errno == EINVAL) { 1270 /* EINVAL is returned if the directory is not a mountpoint, 1271 * i.e. there is no filesystem mounted there. So just get out. 1272 */ 1273 break; 1274 } 1275 1276 err = errno; 1277 1278 /* If allowed, be increasingly aggressive before the last two retries */ 1279 if (kill) { 1280 if (i == (WAIT_UNMOUNT_COUNT - 3)) { 1281 SLOGW("sending SIGHUP to processes with open files\n"); 1282 vold_killProcessesWithOpenFiles(mountpoint, SIGTERM); 1283 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) { 1284 SLOGW("sending SIGKILL to processes with open files\n"); 1285 vold_killProcessesWithOpenFiles(mountpoint, SIGKILL); 1286 } 1287 } 1288 1289 sleep(1); 1290 } 1291 1292 if (i < WAIT_UNMOUNT_COUNT) { 1293 SLOGD("unmounting %s succeeded\n", mountpoint); 1294 rc = 0; 1295 } else { 1296 vold_killProcessesWithOpenFiles(mountpoint, 0); 1297 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err)); 1298 rc = -1; 1299 } 1300 1301 return rc; 1302 } 1303 1304 static int prep_data_fs(void) 1305 { 1306 int i; 1307 1308 // NOTE: post_fs_data results in init calling back around to vold, so all 1309 // callers to this method must be async 1310 1311 /* Do the prep of the /data filesystem */ 1312 property_set("vold.post_fs_data_done", "0"); 1313 property_set("vold.decrypt", "trigger_post_fs_data"); 1314 SLOGD("Just triggered post_fs_data\n"); 1315 1316 /* Wait a max of 50 seconds, hopefully it takes much less */ 1317 if (!android::base::WaitForProperty("vold.post_fs_data_done", 1318 "1", 1319 std::chrono::seconds(50))) { 1320 /* Ugh, we failed to prep /data in time. Bail. */ 1321 SLOGE("post_fs_data timed out!\n"); 1322 return -1; 1323 } else { 1324 SLOGD("post_fs_data done\n"); 1325 return 0; 1326 } 1327 } 1328 1329 static void cryptfs_set_corrupt() 1330 { 1331 // Mark the footer as bad 1332 struct crypt_mnt_ftr crypt_ftr; 1333 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1334 SLOGE("Failed to get crypto footer - panic"); 1335 return; 1336 } 1337 1338 crypt_ftr.flags |= CRYPT_DATA_CORRUPT; 1339 if (put_crypt_ftr_and_key(&crypt_ftr)) { 1340 SLOGE("Failed to set crypto footer - panic"); 1341 return; 1342 } 1343 } 1344 1345 static void cryptfs_trigger_restart_min_framework() 1346 { 1347 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 1348 SLOGE("Failed to mount tmpfs on data - panic"); 1349 return; 1350 } 1351 1352 if (property_set("vold.decrypt", "trigger_post_fs_data")) { 1353 SLOGE("Failed to trigger post fs data - panic"); 1354 return; 1355 } 1356 1357 if (property_set("vold.decrypt", "trigger_restart_min_framework")) { 1358 SLOGE("Failed to trigger restart min framework - panic"); 1359 return; 1360 } 1361 } 1362 1363 /* returns < 0 on failure */ 1364 static int cryptfs_restart_internal(int restart_main) 1365 { 1366 char crypto_blkdev[MAXPATHLEN]; 1367 int rc = -1; 1368 static int restart_successful = 0; 1369 1370 /* Validate that it's OK to call this routine */ 1371 if (! master_key_saved) { 1372 SLOGE("Encrypted filesystem not validated, aborting"); 1373 return -1; 1374 } 1375 1376 if (restart_successful) { 1377 SLOGE("System already restarted with encrypted disk, aborting"); 1378 return -1; 1379 } 1380 1381 if (restart_main) { 1382 /* Here is where we shut down the framework. The init scripts 1383 * start all services in one of three classes: core, main or late_start. 1384 * On boot, we start core and main. Now, we stop main, but not core, 1385 * as core includes vold and a few other really important things that 1386 * we need to keep running. Once main has stopped, we should be able 1387 * to umount the tmpfs /data, then mount the encrypted /data. 1388 * We then restart the class main, and also the class late_start. 1389 * At the moment, I've only put a few things in late_start that I know 1390 * are not needed to bring up the framework, and that also cause problems 1391 * with unmounting the tmpfs /data, but I hope to add add more services 1392 * to the late_start class as we optimize this to decrease the delay 1393 * till the user is asked for the password to the filesystem. 1394 */ 1395 1396 /* The init files are setup to stop the class main when vold.decrypt is 1397 * set to trigger_reset_main. 1398 */ 1399 property_set("vold.decrypt", "trigger_reset_main"); 1400 SLOGD("Just asked init to shut down class main\n"); 1401 1402 /* Ugh, shutting down the framework is not synchronous, so until it 1403 * can be fixed, this horrible hack will wait a moment for it all to 1404 * shut down before proceeding. Without it, some devices cannot 1405 * restart the graphics services. 1406 */ 1407 sleep(2); 1408 } 1409 1410 /* Now that the framework is shutdown, we should be able to umount() 1411 * the tmpfs filesystem, and mount the real one. 1412 */ 1413 1414 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, ""); 1415 if (strlen(crypto_blkdev) == 0) { 1416 SLOGE("fs_crypto_blkdev not set\n"); 1417 return -1; 1418 } 1419 1420 if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) { 1421 /* If ro.crypto.readonly is set to 1, mount the decrypted 1422 * filesystem readonly. This is used when /data is mounted by 1423 * recovery mode. 1424 */ 1425 char ro_prop[PROPERTY_VALUE_MAX]; 1426 property_get("ro.crypto.readonly", ro_prop, ""); 1427 if (strlen(ro_prop) > 0 && atoi(ro_prop)) { 1428 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 1429 rec->flags |= MS_RDONLY; 1430 } 1431 1432 /* If that succeeded, then mount the decrypted filesystem */ 1433 int retries = RETRY_MOUNT_ATTEMPTS; 1434 int mount_rc; 1435 1436 /* 1437 * fs_mgr_do_mount runs fsck. Use setexeccon to run trusted 1438 * partitions in the fsck domain. 1439 */ 1440 if (setexeccon(secontextFsck())){ 1441 SLOGE("Failed to setexeccon"); 1442 return -1; 1443 } 1444 while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT, 1445 crypto_blkdev, 0)) 1446 != 0) { 1447 if (mount_rc == FS_MGR_DOMNT_BUSY) { 1448 /* TODO: invoke something similar to 1449 Process::killProcessWithOpenFiles(DATA_MNT_POINT, 1450 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */ 1451 SLOGI("Failed to mount %s because it is busy - waiting", 1452 crypto_blkdev); 1453 if (--retries) { 1454 sleep(RETRY_MOUNT_DELAY_SECONDS); 1455 } else { 1456 /* Let's hope that a reboot clears away whatever is keeping 1457 the mount busy */ 1458 cryptfs_reboot(reboot); 1459 } 1460 } else { 1461 SLOGE("Failed to mount decrypted data"); 1462 cryptfs_set_corrupt(); 1463 cryptfs_trigger_restart_min_framework(); 1464 SLOGI("Started framework to offer wipe"); 1465 if (setexeccon(NULL)) { 1466 SLOGE("Failed to setexeccon"); 1467 } 1468 return -1; 1469 } 1470 } 1471 if (setexeccon(NULL)) { 1472 SLOGE("Failed to setexeccon"); 1473 return -1; 1474 } 1475 1476 /* Create necessary paths on /data */ 1477 if (prep_data_fs()) { 1478 return -1; 1479 } 1480 property_set("vold.decrypt", "trigger_load_persist_props"); 1481 1482 /* startup service classes main and late_start */ 1483 property_set("vold.decrypt", "trigger_restart_framework"); 1484 SLOGD("Just triggered restart_framework\n"); 1485 1486 /* Give it a few moments to get started */ 1487 sleep(1); 1488 } 1489 1490 if (rc == 0) { 1491 restart_successful = 1; 1492 } 1493 1494 return rc; 1495 } 1496 1497 int cryptfs_restart(void) 1498 { 1499 SLOGI("cryptfs_restart"); 1500 if (e4crypt_is_native()) { 1501 SLOGE("cryptfs_restart not valid for file encryption:"); 1502 return -1; 1503 } 1504 1505 /* Call internal implementation forcing a restart of main service group */ 1506 return cryptfs_restart_internal(1); 1507 } 1508 1509 static int do_crypto_complete(const char *mount_point) 1510 { 1511 struct crypt_mnt_ftr crypt_ftr; 1512 char encrypted_state[PROPERTY_VALUE_MAX]; 1513 char key_loc[PROPERTY_VALUE_MAX]; 1514 1515 property_get("ro.crypto.state", encrypted_state, ""); 1516 if (strcmp(encrypted_state, "encrypted") ) { 1517 SLOGE("not running with encryption, aborting"); 1518 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1519 } 1520 1521 // crypto_complete is full disk encrypted status 1522 if (e4crypt_is_native()) { 1523 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1524 } 1525 1526 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1527 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 1528 1529 /* 1530 * Only report this error if key_loc is a file and it exists. 1531 * If the device was never encrypted, and /data is not mountable for 1532 * some reason, returning 1 should prevent the UI from presenting the 1533 * a "enter password" screen, or worse, a "press button to wipe the 1534 * device" screen. 1535 */ 1536 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) { 1537 SLOGE("master key file does not exist, aborting"); 1538 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1539 } else { 1540 SLOGE("Error getting crypt footer and key\n"); 1541 return CRYPTO_COMPLETE_BAD_METADATA; 1542 } 1543 } 1544 1545 // Test for possible error flags 1546 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){ 1547 SLOGE("Encryption process is partway completed\n"); 1548 return CRYPTO_COMPLETE_PARTIAL; 1549 } 1550 1551 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){ 1552 SLOGE("Encryption process was interrupted but cannot continue\n"); 1553 return CRYPTO_COMPLETE_INCONSISTENT; 1554 } 1555 1556 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){ 1557 SLOGE("Encryption is successful but data is corrupt\n"); 1558 return CRYPTO_COMPLETE_CORRUPT; 1559 } 1560 1561 /* We passed the test! We shall diminish, and return to the west */ 1562 return CRYPTO_COMPLETE_ENCRYPTED; 1563 } 1564 1565 static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, 1566 const char *passwd, const char *mount_point, const char *label) 1567 { 1568 /* Allocate enough space for a 256 bit key, but we may use less */ 1569 unsigned char decrypted_master_key[32]; 1570 char crypto_blkdev[MAXPATHLEN]; 1571 char real_blkdev[MAXPATHLEN]; 1572 char tmp_mount_point[64]; 1573 unsigned int orig_failed_decrypt_count; 1574 int rc; 1575 int use_keymaster = 0; 1576 int upgrade = 0; 1577 unsigned char* intermediate_key = 0; 1578 size_t intermediate_key_size = 0; 1579 int N = 1 << crypt_ftr->N_factor; 1580 int r = 1 << crypt_ftr->r_factor; 1581 int p = 1 << crypt_ftr->p_factor; 1582 1583 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size); 1584 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count; 1585 1586 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) { 1587 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr, 1588 &intermediate_key, &intermediate_key_size)) { 1589 SLOGE("Failed to decrypt master key\n"); 1590 rc = -1; 1591 goto errout; 1592 } 1593 } 1594 1595 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 1596 1597 // Create crypto block device - all (non fatal) code paths 1598 // need it 1599 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, 1600 real_blkdev, crypto_blkdev, label)) { 1601 SLOGE("Error creating decrypted block device\n"); 1602 rc = -1; 1603 goto errout; 1604 } 1605 1606 /* Work out if the problem is the password or the data */ 1607 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr-> 1608 scrypted_intermediate_key)]; 1609 1610 rc = crypto_scrypt(intermediate_key, intermediate_key_size, 1611 crypt_ftr->salt, sizeof(crypt_ftr->salt), 1612 N, r, p, scrypted_intermediate_key, 1613 sizeof(scrypted_intermediate_key)); 1614 1615 // Does the key match the crypto footer? 1616 if (rc == 0 && memcmp(scrypted_intermediate_key, 1617 crypt_ftr->scrypted_intermediate_key, 1618 sizeof(scrypted_intermediate_key)) == 0) { 1619 SLOGI("Password matches"); 1620 rc = 0; 1621 } else { 1622 /* Try mounting the file system anyway, just in case the problem's with 1623 * the footer, not the key. */ 1624 snprintf(tmp_mount_point, sizeof(tmp_mount_point), "%s/tmp_mnt", 1625 mount_point); 1626 mkdir(tmp_mount_point, 0755); 1627 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) { 1628 SLOGE("Error temp mounting decrypted block device\n"); 1629 delete_crypto_blk_dev(label); 1630 1631 rc = ++crypt_ftr->failed_decrypt_count; 1632 put_crypt_ftr_and_key(crypt_ftr); 1633 } else { 1634 /* Success! */ 1635 SLOGI("Password did not match but decrypted drive mounted - continue"); 1636 umount(tmp_mount_point); 1637 rc = 0; 1638 } 1639 } 1640 1641 if (rc == 0) { 1642 crypt_ftr->failed_decrypt_count = 0; 1643 if (orig_failed_decrypt_count != 0) { 1644 put_crypt_ftr_and_key(crypt_ftr); 1645 } 1646 1647 /* Save the name of the crypto block device 1648 * so we can mount it when restarting the framework. */ 1649 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev); 1650 1651 /* Also save a the master key so we can reencrypted the key 1652 * the key when we want to change the password on it. */ 1653 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES); 1654 saved_mount_point = strdup(mount_point); 1655 master_key_saved = 1; 1656 SLOGD("%s(): Master key saved\n", __FUNCTION__); 1657 rc = 0; 1658 1659 // Upgrade if we're not using the latest KDF. 1660 use_keymaster = keymaster_check_compatibility(); 1661 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1662 // Don't allow downgrade 1663 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) { 1664 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 1665 upgrade = 1; 1666 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) { 1667 crypt_ftr->kdf_type = KDF_SCRYPT; 1668 upgrade = 1; 1669 } 1670 1671 if (upgrade) { 1672 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key, 1673 crypt_ftr->master_key, crypt_ftr); 1674 if (!rc) { 1675 rc = put_crypt_ftr_and_key(crypt_ftr); 1676 } 1677 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc); 1678 1679 // Do not fail even if upgrade failed - machine is bootable 1680 // Note that if this code is ever hit, there is a *serious* problem 1681 // since KDFs should never fail. You *must* fix the kdf before 1682 // proceeding! 1683 if (rc) { 1684 SLOGW("Upgrade failed with error %d," 1685 " but continuing with previous state", 1686 rc); 1687 rc = 0; 1688 } 1689 } 1690 } 1691 1692 errout: 1693 if (intermediate_key) { 1694 memset(intermediate_key, 0, intermediate_key_size); 1695 free(intermediate_key); 1696 } 1697 return rc; 1698 } 1699 1700 /* 1701 * Called by vold when it's asked to mount an encrypted external 1702 * storage volume. The incoming partition has no crypto header/footer, 1703 * as any metadata is been stored in a separate, small partition. 1704 * 1705 * out_crypto_blkdev must be MAXPATHLEN. 1706 */ 1707 int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev, 1708 const unsigned char* key, int keysize, char* out_crypto_blkdev) { 1709 int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC); 1710 if (fd == -1) { 1711 SLOGE("Failed to open %s: %s", real_blkdev, strerror(errno)); 1712 return -1; 1713 } 1714 1715 unsigned long nr_sec = 0; 1716 get_blkdev_size(fd, &nr_sec); 1717 close(fd); 1718 1719 if (nr_sec == 0) { 1720 SLOGE("Failed to get size of %s: %s", real_blkdev, strerror(errno)); 1721 return -1; 1722 } 1723 1724 struct crypt_mnt_ftr ext_crypt_ftr; 1725 memset(&ext_crypt_ftr, 0, sizeof(ext_crypt_ftr)); 1726 ext_crypt_ftr.fs_size = nr_sec; 1727 ext_crypt_ftr.keysize = keysize; 1728 strcpy((char*) ext_crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256"); 1729 1730 return create_crypto_blk_dev(&ext_crypt_ftr, key, real_blkdev, 1731 out_crypto_blkdev, label); 1732 } 1733 1734 /* 1735 * Called by vold when it's asked to unmount an encrypted external 1736 * storage volume. 1737 */ 1738 int cryptfs_revert_ext_volume(const char* label) { 1739 return delete_crypto_blk_dev((char*) label); 1740 } 1741 1742 int cryptfs_crypto_complete(void) 1743 { 1744 return do_crypto_complete("/data"); 1745 } 1746 1747 int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr) 1748 { 1749 char encrypted_state[PROPERTY_VALUE_MAX]; 1750 property_get("ro.crypto.state", encrypted_state, ""); 1751 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) { 1752 SLOGE("encrypted fs already validated or not running with encryption," 1753 " aborting"); 1754 return -1; 1755 } 1756 1757 if (get_crypt_ftr_and_key(crypt_ftr)) { 1758 SLOGE("Error getting crypt footer and key"); 1759 return -1; 1760 } 1761 1762 return 0; 1763 } 1764 1765 int cryptfs_check_passwd(const char *passwd) 1766 { 1767 SLOGI("cryptfs_check_passwd"); 1768 if (e4crypt_is_native()) { 1769 SLOGE("cryptfs_check_passwd not valid for file encryption"); 1770 return -1; 1771 } 1772 1773 struct crypt_mnt_ftr crypt_ftr; 1774 int rc; 1775 1776 rc = check_unmounted_and_get_ftr(&crypt_ftr); 1777 if (rc) { 1778 SLOGE("Could not get footer"); 1779 return rc; 1780 } 1781 1782 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, 1783 DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE); 1784 if (rc) { 1785 SLOGE("Password did not match"); 1786 return rc; 1787 } 1788 1789 if (crypt_ftr.flags & CRYPT_FORCE_COMPLETE) { 1790 // Here we have a default actual password but a real password 1791 // we must test against the scrypted value 1792 // First, we must delete the crypto block device that 1793 // test_mount_encrypted_fs leaves behind as a side effect 1794 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE); 1795 rc = test_mount_encrypted_fs(&crypt_ftr, DEFAULT_PASSWORD, 1796 DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE); 1797 if (rc) { 1798 SLOGE("Default password did not match on reboot encryption"); 1799 return rc; 1800 } 1801 1802 crypt_ftr.flags &= ~CRYPT_FORCE_COMPLETE; 1803 put_crypt_ftr_and_key(&crypt_ftr); 1804 rc = cryptfs_changepw(crypt_ftr.crypt_type, passwd); 1805 if (rc) { 1806 SLOGE("Could not change password on reboot encryption"); 1807 return rc; 1808 } 1809 } 1810 1811 if (crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) { 1812 cryptfs_clear_password(); 1813 password = strdup(passwd); 1814 struct timespec now; 1815 clock_gettime(CLOCK_BOOTTIME, &now); 1816 password_expiry_time = now.tv_sec + password_max_age_seconds; 1817 } 1818 1819 return rc; 1820 } 1821 1822 int cryptfs_verify_passwd(char *passwd) 1823 { 1824 struct crypt_mnt_ftr crypt_ftr; 1825 /* Allocate enough space for a 256 bit key, but we may use less */ 1826 unsigned char decrypted_master_key[32]; 1827 char encrypted_state[PROPERTY_VALUE_MAX]; 1828 int rc; 1829 1830 property_get("ro.crypto.state", encrypted_state, ""); 1831 if (strcmp(encrypted_state, "encrypted") ) { 1832 SLOGE("device not encrypted, aborting"); 1833 return -2; 1834 } 1835 1836 if (!master_key_saved) { 1837 SLOGE("encrypted fs not yet mounted, aborting"); 1838 return -1; 1839 } 1840 1841 if (!saved_mount_point) { 1842 SLOGE("encrypted fs failed to save mount point, aborting"); 1843 return -1; 1844 } 1845 1846 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1847 SLOGE("Error getting crypt footer and key\n"); 1848 return -1; 1849 } 1850 1851 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) { 1852 /* If the device has no password, then just say the password is valid */ 1853 rc = 0; 1854 } else { 1855 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 1856 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) { 1857 /* They match, the password is correct */ 1858 rc = 0; 1859 } else { 1860 /* If incorrect, sleep for a bit to prevent dictionary attacks */ 1861 sleep(1); 1862 rc = 1; 1863 } 1864 } 1865 1866 return rc; 1867 } 1868 1869 /* Initialize a crypt_mnt_ftr structure. The keysize is 1870 * defaulted to 16 bytes, and the filesystem size to 0. 1871 * Presumably, at a minimum, the caller will update the 1872 * filesystem size and crypto_type_name after calling this function. 1873 */ 1874 static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr) 1875 { 1876 off64_t off; 1877 1878 memset(ftr, 0, sizeof(struct crypt_mnt_ftr)); 1879 ftr->magic = CRYPT_MNT_MAGIC; 1880 ftr->major_version = CURRENT_MAJOR_VERSION; 1881 ftr->minor_version = CURRENT_MINOR_VERSION; 1882 ftr->ftr_size = sizeof(struct crypt_mnt_ftr); 1883 ftr->keysize = KEY_LEN_BYTES; 1884 1885 switch (keymaster_check_compatibility()) { 1886 case 1: 1887 ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 1888 break; 1889 1890 case 0: 1891 ftr->kdf_type = KDF_SCRYPT; 1892 break; 1893 1894 default: 1895 SLOGE("keymaster_check_compatibility failed"); 1896 return -1; 1897 } 1898 1899 get_device_scrypt_params(ftr); 1900 1901 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 1902 if (get_crypt_ftr_info(NULL, &off) == 0) { 1903 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET; 1904 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET + 1905 ftr->persist_data_size; 1906 } 1907 1908 return 0; 1909 } 1910 1911 static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type) 1912 { 1913 const char *args[10]; 1914 char size_str[32]; /* Must be large enough to hold a %lld and null byte */ 1915 int num_args; 1916 int status; 1917 int tmp; 1918 int rc = -1; 1919 1920 if (type == EXT4_FS) { 1921 #ifdef TARGET_USES_MKE2FS 1922 args[0] = "/system/bin/mke2fs"; 1923 args[1] = "-M"; 1924 args[2] = "/data"; 1925 args[3] = "-b"; 1926 args[4] = "4096"; 1927 args[5] = "-t"; 1928 args[6] = "ext4"; 1929 args[7] = crypto_blkdev; 1930 snprintf(size_str, sizeof(size_str), "%" PRId64, size / (4096 / 512)); 1931 args[8] = size_str; 1932 num_args = 9; 1933 #else 1934 args[0] = "/system/bin/make_ext4fs"; 1935 args[1] = "-a"; 1936 args[2] = "/data"; 1937 args[3] = "-l"; 1938 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512); 1939 args[4] = size_str; 1940 args[5] = crypto_blkdev; 1941 num_args = 6; 1942 #endif 1943 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n", 1944 args[0], args[1], args[2], args[3], args[4], args[5]); 1945 } else if (type == F2FS_FS) { 1946 args[0] = "/system/bin/mkfs.f2fs"; 1947 args[1] = "-t"; 1948 args[2] = "-d1"; 1949 args[3] = crypto_blkdev; 1950 snprintf(size_str, sizeof(size_str), "%" PRId64, size); 1951 args[4] = size_str; 1952 num_args = 5; 1953 SLOGI("Making empty filesystem with command %s %s %s %s %s\n", 1954 args[0], args[1], args[2], args[3], args[4]); 1955 } else { 1956 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type); 1957 return -1; 1958 } 1959 1960 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true); 1961 1962 if (tmp != 0) { 1963 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev); 1964 } else { 1965 if (WIFEXITED(status)) { 1966 if (WEXITSTATUS(status)) { 1967 SLOGE("Error creating filesystem on %s, exit status %d ", 1968 crypto_blkdev, WEXITSTATUS(status)); 1969 } else { 1970 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev); 1971 rc = 0; 1972 } 1973 } else { 1974 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev); 1975 } 1976 } 1977 1978 return rc; 1979 } 1980 1981 #define CRYPT_INPLACE_BUFSIZE 4096 1982 #define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE) 1983 #define CRYPT_SECTOR_SIZE 512 1984 1985 /* aligned 32K writes tends to make flash happy. 1986 * SD card association recommends it. 1987 */ 1988 #define BLOCKS_AT_A_TIME 8 1989 1990 struct encryptGroupsData 1991 { 1992 int realfd; 1993 int cryptofd; 1994 off64_t numblocks; 1995 off64_t one_pct, cur_pct, new_pct; 1996 off64_t blocks_already_done, tot_numblocks; 1997 off64_t used_blocks_already_done, tot_used_blocks; 1998 char* real_blkdev, * crypto_blkdev; 1999 int count; 2000 off64_t offset; 2001 char* buffer; 2002 off64_t last_written_sector; 2003 int completed; 2004 time_t time_started; 2005 int remaining_time; 2006 }; 2007 2008 static void update_progress(struct encryptGroupsData* data, int is_used) 2009 { 2010 data->blocks_already_done++; 2011 2012 if (is_used) { 2013 data->used_blocks_already_done++; 2014 } 2015 if (data->tot_used_blocks) { 2016 data->new_pct = data->used_blocks_already_done / data->one_pct; 2017 } else { 2018 data->new_pct = data->blocks_already_done / data->one_pct; 2019 } 2020 2021 if (data->new_pct > data->cur_pct) { 2022 char buf[8]; 2023 data->cur_pct = data->new_pct; 2024 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct); 2025 property_set("vold.encrypt_progress", buf); 2026 } 2027 2028 if (data->cur_pct >= 5) { 2029 struct timespec time_now; 2030 if (clock_gettime(CLOCK_MONOTONIC, &time_now)) { 2031 SLOGW("Error getting time"); 2032 } else { 2033 double elapsed_time = difftime(time_now.tv_sec, data->time_started); 2034 off64_t remaining_blocks = data->tot_used_blocks 2035 - data->used_blocks_already_done; 2036 int remaining_time = (int)(elapsed_time * remaining_blocks 2037 / data->used_blocks_already_done); 2038 2039 // Change time only if not yet set, lower, or a lot higher for 2040 // best user experience 2041 if (data->remaining_time == -1 2042 || remaining_time < data->remaining_time 2043 || remaining_time > data->remaining_time + 60) { 2044 char buf[8]; 2045 snprintf(buf, sizeof(buf), "%d", remaining_time); 2046 property_set("vold.encrypt_time_remaining", buf); 2047 data->remaining_time = remaining_time; 2048 } 2049 } 2050 } 2051 } 2052 2053 static void log_progress(struct encryptGroupsData const* data, bool completed) 2054 { 2055 // Precondition - if completed data = 0 else data != 0 2056 2057 // Track progress so we can skip logging blocks 2058 static off64_t offset = -1; 2059 2060 // Need to close existing 'Encrypting from' log? 2061 if (completed || (offset != -1 && data->offset != offset)) { 2062 SLOGI("Encrypted to sector %" PRId64, 2063 offset / info.block_size * CRYPT_SECTOR_SIZE); 2064 offset = -1; 2065 } 2066 2067 // Need to start new 'Encrypting from' log? 2068 if (!completed && offset != data->offset) { 2069 SLOGI("Encrypting from sector %" PRId64, 2070 data->offset / info.block_size * CRYPT_SECTOR_SIZE); 2071 } 2072 2073 // Update offset 2074 if (!completed) { 2075 offset = data->offset + (off64_t)data->count * info.block_size; 2076 } 2077 } 2078 2079 static int flush_outstanding_data(struct encryptGroupsData* data) 2080 { 2081 if (data->count == 0) { 2082 return 0; 2083 } 2084 2085 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset); 2086 2087 if (pread64(data->realfd, data->buffer, 2088 info.block_size * data->count, data->offset) 2089 <= 0) { 2090 SLOGE("Error reading real_blkdev %s for inplace encrypt", 2091 data->real_blkdev); 2092 return -1; 2093 } 2094 2095 if (pwrite64(data->cryptofd, data->buffer, 2096 info.block_size * data->count, data->offset) 2097 <= 0) { 2098 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", 2099 data->crypto_blkdev); 2100 return -1; 2101 } else { 2102 log_progress(data, false); 2103 } 2104 2105 data->count = 0; 2106 data->last_written_sector = (data->offset + data->count) 2107 / info.block_size * CRYPT_SECTOR_SIZE - 1; 2108 return 0; 2109 } 2110 2111 static int encrypt_groups(struct encryptGroupsData* data) 2112 { 2113 unsigned int i; 2114 u8 *block_bitmap = 0; 2115 unsigned int block; 2116 off64_t ret; 2117 int rc = -1; 2118 2119 data->buffer = (char *)malloc(info.block_size * BLOCKS_AT_A_TIME); 2120 if (!data->buffer) { 2121 SLOGE("Failed to allocate crypto buffer"); 2122 goto errout; 2123 } 2124 2125 block_bitmap = (u8 *)malloc(info.block_size); 2126 if (!block_bitmap) { 2127 SLOGE("failed to allocate block bitmap"); 2128 goto errout; 2129 } 2130 2131 for (i = 0; i < aux_info.groups; ++i) { 2132 SLOGI("Encrypting group %d", i); 2133 2134 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group; 2135 u32 block_count = std::min(info.blocks_per_group, 2136 (u32)(aux_info.len_blocks - first_block)); 2137 2138 off64_t offset = (u64)info.block_size 2139 * aux_info.bg_desc[i].bg_block_bitmap; 2140 2141 ret = pread64(data->realfd, block_bitmap, info.block_size, offset); 2142 if (ret != (int)info.block_size) { 2143 SLOGE("failed to read all of block group bitmap %d", i); 2144 goto errout; 2145 } 2146 2147 offset = (u64)info.block_size * first_block; 2148 2149 data->count = 0; 2150 2151 for (block = 0; block < block_count; block++) { 2152 int used = (aux_info.bg_desc[i].bg_flags & EXT4_BG_BLOCK_UNINIT) ? 2153 0 : bitmap_get_bit(block_bitmap, block); 2154 update_progress(data, used); 2155 if (used) { 2156 if (data->count == 0) { 2157 data->offset = offset; 2158 } 2159 data->count++; 2160 } else { 2161 if (flush_outstanding_data(data)) { 2162 goto errout; 2163 } 2164 } 2165 2166 offset += info.block_size; 2167 2168 /* Write data if we are aligned or buffer size reached */ 2169 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0 2170 || data->count == BLOCKS_AT_A_TIME) { 2171 if (flush_outstanding_data(data)) { 2172 goto errout; 2173 } 2174 } 2175 2176 if (!is_battery_ok_to_continue()) { 2177 SLOGE("Stopping encryption due to low battery"); 2178 rc = 0; 2179 goto errout; 2180 } 2181 2182 } 2183 if (flush_outstanding_data(data)) { 2184 goto errout; 2185 } 2186 } 2187 2188 data->completed = 1; 2189 rc = 0; 2190 2191 errout: 2192 log_progress(0, true); 2193 free(data->buffer); 2194 free(block_bitmap); 2195 return rc; 2196 } 2197 2198 static int cryptfs_enable_inplace_ext4(char *crypto_blkdev, 2199 char *real_blkdev, 2200 off64_t size, 2201 off64_t *size_already_done, 2202 off64_t tot_size, 2203 off64_t previously_encrypted_upto) 2204 { 2205 u32 i; 2206 struct encryptGroupsData data; 2207 int rc; // Can't initialize without causing warning -Wclobbered 2208 struct timespec time_started = {0}; 2209 int retries = RETRY_MOUNT_ATTEMPTS; 2210 2211 if (previously_encrypted_upto > *size_already_done) { 2212 SLOGD("Not fast encrypting since resuming part way through"); 2213 return -1; 2214 } 2215 2216 memset(&data, 0, sizeof(data)); 2217 data.real_blkdev = real_blkdev; 2218 data.crypto_blkdev = crypto_blkdev; 2219 2220 if ( (data.realfd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) { 2221 SLOGE("Error opening real_blkdev %s for inplace encrypt. err=%d(%s)\n", 2222 real_blkdev, errno, strerror(errno)); 2223 rc = -1; 2224 goto errout; 2225 } 2226 2227 // Wait until the block device appears. Re-use the mount retry values since it is reasonable. 2228 while ((data.cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) { 2229 if (--retries) { 2230 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s), retrying\n", 2231 crypto_blkdev, errno, strerror(errno)); 2232 sleep(RETRY_MOUNT_DELAY_SECONDS); 2233 } else { 2234 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s)\n", 2235 crypto_blkdev, errno, strerror(errno)); 2236 rc = ENABLE_INPLACE_ERR_DEV; 2237 goto errout; 2238 } 2239 } 2240 2241 if (setjmp(setjmp_env)) { 2242 SLOGE("Reading ext4 extent caused an exception\n"); 2243 rc = -1; 2244 goto errout; 2245 } 2246 2247 if (read_ext(data.realfd, 0) != 0) { 2248 SLOGE("Failed to read ext4 extent\n"); 2249 rc = -1; 2250 goto errout; 2251 } 2252 2253 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2254 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2255 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2256 2257 SLOGI("Encrypting ext4 filesystem in place..."); 2258 2259 data.tot_used_blocks = data.numblocks; 2260 for (i = 0; i < aux_info.groups; ++i) { 2261 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count; 2262 } 2263 2264 data.one_pct = data.tot_used_blocks / 100; 2265 data.cur_pct = 0; 2266 2267 if (clock_gettime(CLOCK_MONOTONIC, &time_started)) { 2268 SLOGW("Error getting time at start"); 2269 // Note - continue anyway - we'll run with 0 2270 } 2271 data.time_started = time_started.tv_sec; 2272 data.remaining_time = -1; 2273 2274 rc = encrypt_groups(&data); 2275 if (rc) { 2276 SLOGE("Error encrypting groups"); 2277 goto errout; 2278 } 2279 2280 *size_already_done += data.completed ? size : data.last_written_sector; 2281 rc = 0; 2282 2283 errout: 2284 close(data.realfd); 2285 close(data.cryptofd); 2286 2287 return rc; 2288 } 2289 2290 static void log_progress_f2fs(u64 block, bool completed) 2291 { 2292 // Precondition - if completed data = 0 else data != 0 2293 2294 // Track progress so we can skip logging blocks 2295 static u64 last_block = (u64)-1; 2296 2297 // Need to close existing 'Encrypting from' log? 2298 if (completed || (last_block != (u64)-1 && block != last_block + 1)) { 2299 SLOGI("Encrypted to block %" PRId64, last_block); 2300 last_block = -1; 2301 } 2302 2303 // Need to start new 'Encrypting from' log? 2304 if (!completed && (last_block == (u64)-1 || block != last_block + 1)) { 2305 SLOGI("Encrypting from block %" PRId64, block); 2306 } 2307 2308 // Update offset 2309 if (!completed) { 2310 last_block = block; 2311 } 2312 } 2313 2314 static int encrypt_one_block_f2fs(u64 pos, void *data) 2315 { 2316 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data; 2317 2318 priv_dat->blocks_already_done = pos - 1; 2319 update_progress(priv_dat, 1); 2320 2321 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE; 2322 2323 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2324 SLOGE("Error reading real_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev); 2325 return -1; 2326 } 2327 2328 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2329 SLOGE("Error writing crypto_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev); 2330 return -1; 2331 } else { 2332 log_progress_f2fs(pos, false); 2333 } 2334 2335 return 0; 2336 } 2337 2338 static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev, 2339 char *real_blkdev, 2340 off64_t size, 2341 off64_t *size_already_done, 2342 off64_t tot_size, 2343 off64_t previously_encrypted_upto) 2344 { 2345 struct encryptGroupsData data; 2346 struct f2fs_info *f2fs_info = NULL; 2347 int rc = ENABLE_INPLACE_ERR_OTHER; 2348 if (previously_encrypted_upto > *size_already_done) { 2349 SLOGD("Not fast encrypting since resuming part way through"); 2350 return ENABLE_INPLACE_ERR_OTHER; 2351 } 2352 memset(&data, 0, sizeof(data)); 2353 data.real_blkdev = real_blkdev; 2354 data.crypto_blkdev = crypto_blkdev; 2355 data.realfd = -1; 2356 data.cryptofd = -1; 2357 if ( (data.realfd = open64(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) { 2358 SLOGE("Error opening real_blkdev %s for f2fs inplace encrypt\n", 2359 real_blkdev); 2360 goto errout; 2361 } 2362 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) { 2363 SLOGE("Error opening crypto_blkdev %s for f2fs inplace encrypt. err=%d(%s)\n", 2364 crypto_blkdev, errno, strerror(errno)); 2365 rc = ENABLE_INPLACE_ERR_DEV; 2366 goto errout; 2367 } 2368 2369 f2fs_info = generate_f2fs_info(data.realfd); 2370 if (!f2fs_info) 2371 goto errout; 2372 2373 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2374 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2375 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2376 2377 data.tot_used_blocks = get_num_blocks_used(f2fs_info); 2378 2379 data.one_pct = data.tot_used_blocks / 100; 2380 data.cur_pct = 0; 2381 data.time_started = time(NULL); 2382 data.remaining_time = -1; 2383 2384 data.buffer = (char *)malloc(f2fs_info->block_size); 2385 if (!data.buffer) { 2386 SLOGE("Failed to allocate crypto buffer"); 2387 goto errout; 2388 } 2389 2390 data.count = 0; 2391 2392 /* Currently, this either runs to completion, or hits a nonrecoverable error */ 2393 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data); 2394 2395 if (rc) { 2396 SLOGE("Error in running over f2fs blocks"); 2397 rc = ENABLE_INPLACE_ERR_OTHER; 2398 goto errout; 2399 } 2400 2401 *size_already_done += size; 2402 rc = 0; 2403 2404 errout: 2405 if (rc) 2406 SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev); 2407 2408 log_progress_f2fs(0, true); 2409 free(f2fs_info); 2410 free(data.buffer); 2411 close(data.realfd); 2412 close(data.cryptofd); 2413 2414 return rc; 2415 } 2416 2417 static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev, 2418 off64_t size, off64_t *size_already_done, 2419 off64_t tot_size, 2420 off64_t previously_encrypted_upto) 2421 { 2422 int realfd, cryptofd; 2423 char *buf[CRYPT_INPLACE_BUFSIZE]; 2424 int rc = ENABLE_INPLACE_ERR_OTHER; 2425 off64_t numblocks, i, remainder; 2426 off64_t one_pct, cur_pct, new_pct; 2427 off64_t blocks_already_done, tot_numblocks; 2428 2429 if ( (realfd = open(real_blkdev, O_RDONLY|O_CLOEXEC)) < 0) { 2430 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev); 2431 return ENABLE_INPLACE_ERR_OTHER; 2432 } 2433 2434 if ( (cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) { 2435 SLOGE("Error opening crypto_blkdev %s for inplace encrypt. err=%d(%s)\n", 2436 crypto_blkdev, errno, strerror(errno)); 2437 close(realfd); 2438 return ENABLE_INPLACE_ERR_DEV; 2439 } 2440 2441 /* This is pretty much a simple loop of reading 4K, and writing 4K. 2442 * The size passed in is the number of 512 byte sectors in the filesystem. 2443 * So compute the number of whole 4K blocks we should read/write, 2444 * and the remainder. 2445 */ 2446 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2447 remainder = size % CRYPT_SECTORS_PER_BUFSIZE; 2448 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2449 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2450 2451 SLOGE("Encrypting filesystem in place..."); 2452 2453 i = previously_encrypted_upto + 1 - *size_already_done; 2454 2455 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2456 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev); 2457 goto errout; 2458 } 2459 2460 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2461 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev); 2462 goto errout; 2463 } 2464 2465 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) { 2466 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2467 SLOGE("Error reading initial sectors from real_blkdev %s for " 2468 "inplace encrypt\n", crypto_blkdev); 2469 goto errout; 2470 } 2471 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2472 SLOGE("Error writing initial sectors to crypto_blkdev %s for " 2473 "inplace encrypt\n", crypto_blkdev); 2474 goto errout; 2475 } else { 2476 SLOGI("Encrypted 1 block at %" PRId64, i); 2477 } 2478 } 2479 2480 one_pct = tot_numblocks / 100; 2481 cur_pct = 0; 2482 /* process the majority of the filesystem in blocks */ 2483 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) { 2484 new_pct = (i + blocks_already_done) / one_pct; 2485 if (new_pct > cur_pct) { 2486 char buf[8]; 2487 2488 cur_pct = new_pct; 2489 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct); 2490 property_set("vold.encrypt_progress", buf); 2491 } 2492 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2493 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev); 2494 goto errout; 2495 } 2496 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2497 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2498 goto errout; 2499 } else { 2500 SLOGD("Encrypted %d block at %" PRId64, 2501 CRYPT_SECTORS_PER_BUFSIZE, 2502 i * CRYPT_SECTORS_PER_BUFSIZE); 2503 } 2504 2505 if (!is_battery_ok_to_continue()) { 2506 SLOGE("Stopping encryption due to low battery"); 2507 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1; 2508 rc = 0; 2509 goto errout; 2510 } 2511 } 2512 2513 /* Do any remaining sectors */ 2514 for (i=0; i<remainder; i++) { 2515 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2516 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev); 2517 goto errout; 2518 } 2519 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2520 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2521 goto errout; 2522 } else { 2523 SLOGI("Encrypted 1 block at next location"); 2524 } 2525 } 2526 2527 *size_already_done += size; 2528 rc = 0; 2529 2530 errout: 2531 close(realfd); 2532 close(cryptofd); 2533 2534 return rc; 2535 } 2536 2537 /* returns on of the ENABLE_INPLACE_* return codes */ 2538 static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev, 2539 off64_t size, off64_t *size_already_done, 2540 off64_t tot_size, 2541 off64_t previously_encrypted_upto) 2542 { 2543 int rc_ext4, rc_f2fs, rc_full; 2544 if (previously_encrypted_upto) { 2545 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto); 2546 } 2547 2548 if (*size_already_done + size < previously_encrypted_upto) { 2549 *size_already_done += size; 2550 return 0; 2551 } 2552 2553 /* TODO: identify filesystem type. 2554 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and 2555 * then we will drop down to cryptfs_enable_inplace_f2fs. 2556 * */ 2557 if ((rc_ext4 = cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev, 2558 size, size_already_done, 2559 tot_size, previously_encrypted_upto)) == 0) { 2560 return 0; 2561 } 2562 SLOGD("cryptfs_enable_inplace_ext4()=%d\n", rc_ext4); 2563 2564 if ((rc_f2fs = cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev, 2565 size, size_already_done, 2566 tot_size, previously_encrypted_upto)) == 0) { 2567 return 0; 2568 } 2569 SLOGD("cryptfs_enable_inplace_f2fs()=%d\n", rc_f2fs); 2570 2571 rc_full = cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev, 2572 size, size_already_done, tot_size, 2573 previously_encrypted_upto); 2574 SLOGD("cryptfs_enable_inplace_full()=%d\n", rc_full); 2575 2576 /* Hack for b/17898962, the following is the symptom... */ 2577 if (rc_ext4 == ENABLE_INPLACE_ERR_DEV 2578 && rc_f2fs == ENABLE_INPLACE_ERR_DEV 2579 && rc_full == ENABLE_INPLACE_ERR_DEV) { 2580 return ENABLE_INPLACE_ERR_DEV; 2581 } 2582 return rc_full; 2583 } 2584 2585 #define CRYPTO_ENABLE_WIPE 1 2586 #define CRYPTO_ENABLE_INPLACE 2 2587 2588 #define FRAMEWORK_BOOT_WAIT 60 2589 2590 static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf) 2591 { 2592 int fd = open(filename, O_RDONLY|O_CLOEXEC); 2593 if (fd == -1) { 2594 SLOGE("Error opening file %s", filename); 2595 return -1; 2596 } 2597 2598 char block[CRYPT_INPLACE_BUFSIZE]; 2599 memset(block, 0, sizeof(block)); 2600 if (unix_read(fd, block, sizeof(block)) < 0) { 2601 SLOGE("Error reading file %s", filename); 2602 close(fd); 2603 return -1; 2604 } 2605 2606 close(fd); 2607 2608 SHA256_CTX c; 2609 SHA256_Init(&c); 2610 SHA256_Update(&c, block, sizeof(block)); 2611 SHA256_Final(buf, &c); 2612 2613 return 0; 2614 } 2615 2616 static int get_fs_type(struct fstab_rec *rec) 2617 { 2618 if (!strcmp(rec->fs_type, "ext4")) { 2619 return EXT4_FS; 2620 } else if (!strcmp(rec->fs_type, "f2fs")) { 2621 return F2FS_FS; 2622 } else { 2623 return -1; 2624 } 2625 } 2626 2627 static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how, 2628 char *crypto_blkdev, char *real_blkdev, 2629 int previously_encrypted_upto) 2630 { 2631 off64_t cur_encryption_done=0, tot_encryption_size=0; 2632 int rc = -1; 2633 2634 if (!is_battery_ok_to_start()) { 2635 SLOGW("Not starting encryption due to low battery"); 2636 return 0; 2637 } 2638 2639 /* The size of the userdata partition, and add in the vold volumes below */ 2640 tot_encryption_size = crypt_ftr->fs_size; 2641 2642 if (how == CRYPTO_ENABLE_WIPE) { 2643 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 2644 int fs_type = get_fs_type(rec); 2645 if (fs_type < 0) { 2646 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type); 2647 return -1; 2648 } 2649 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type); 2650 } else if (how == CRYPTO_ENABLE_INPLACE) { 2651 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev, 2652 crypt_ftr->fs_size, &cur_encryption_done, 2653 tot_encryption_size, 2654 previously_encrypted_upto); 2655 2656 if (rc == ENABLE_INPLACE_ERR_DEV) { 2657 /* Hack for b/17898962 */ 2658 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n"); 2659 cryptfs_reboot(reboot); 2660 } 2661 2662 if (!rc) { 2663 crypt_ftr->encrypted_upto = cur_encryption_done; 2664 } 2665 2666 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) { 2667 /* The inplace routine never actually sets the progress to 100% due 2668 * to the round down nature of integer division, so set it here */ 2669 property_set("vold.encrypt_progress", "100"); 2670 } 2671 } else { 2672 /* Shouldn't happen */ 2673 SLOGE("cryptfs_enable: internal error, unknown option\n"); 2674 rc = -1; 2675 } 2676 2677 return rc; 2678 } 2679 2680 int cryptfs_enable_internal(char *howarg, int crypt_type, const char *passwd, 2681 int no_ui) 2682 { 2683 int how = 0; 2684 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN]; 2685 unsigned char decrypted_master_key[KEY_LEN_BYTES]; 2686 int rc=-1, i; 2687 struct crypt_mnt_ftr crypt_ftr; 2688 struct crypt_persist_data *pdata; 2689 char encrypted_state[PROPERTY_VALUE_MAX]; 2690 char lockid[32] = { 0 }; 2691 char key_loc[PROPERTY_VALUE_MAX]; 2692 int num_vols; 2693 off64_t previously_encrypted_upto = 0; 2694 bool rebootEncryption = false; 2695 bool onlyCreateHeader = false; 2696 int fd = -1; 2697 2698 if (!strcmp(howarg, "wipe")) { 2699 how = CRYPTO_ENABLE_WIPE; 2700 } else if (! strcmp(howarg, "inplace")) { 2701 how = CRYPTO_ENABLE_INPLACE; 2702 } else { 2703 /* Shouldn't happen, as CommandListener vets the args */ 2704 goto error_unencrypted; 2705 } 2706 2707 if (how == CRYPTO_ENABLE_INPLACE 2708 && get_crypt_ftr_and_key(&crypt_ftr) == 0) { 2709 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS) { 2710 /* An encryption was underway and was interrupted */ 2711 previously_encrypted_upto = crypt_ftr.encrypted_upto; 2712 crypt_ftr.encrypted_upto = 0; 2713 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS; 2714 2715 /* At this point, we are in an inconsistent state. Until we successfully 2716 complete encryption, a reboot will leave us broken. So mark the 2717 encryption failed in case that happens. 2718 On successfully completing encryption, remove this flag */ 2719 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 2720 2721 put_crypt_ftr_and_key(&crypt_ftr); 2722 } else if (crypt_ftr.flags & CRYPT_FORCE_ENCRYPTION) { 2723 if (!check_ftr_sha(&crypt_ftr)) { 2724 memset(&crypt_ftr, 0, sizeof(crypt_ftr)); 2725 put_crypt_ftr_and_key(&crypt_ftr); 2726 goto error_unencrypted; 2727 } 2728 2729 /* Doing a reboot-encryption*/ 2730 crypt_ftr.flags &= ~CRYPT_FORCE_ENCRYPTION; 2731 crypt_ftr.flags |= CRYPT_FORCE_COMPLETE; 2732 rebootEncryption = true; 2733 } 2734 } 2735 2736 property_get("ro.crypto.state", encrypted_state, ""); 2737 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) { 2738 SLOGE("Device is already running encrypted, aborting"); 2739 goto error_unencrypted; 2740 } 2741 2742 // TODO refactor fs_mgr_get_crypt_info to get both in one call 2743 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 2744 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 2745 2746 /* Get the size of the real block device */ 2747 fd = open(real_blkdev, O_RDONLY|O_CLOEXEC); 2748 if (fd == -1) { 2749 SLOGE("Cannot open block device %s\n", real_blkdev); 2750 goto error_unencrypted; 2751 } 2752 unsigned long nr_sec; 2753 get_blkdev_size(fd, &nr_sec); 2754 if (nr_sec == 0) { 2755 SLOGE("Cannot get size of block device %s\n", real_blkdev); 2756 goto error_unencrypted; 2757 } 2758 close(fd); 2759 2760 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */ 2761 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) { 2762 unsigned int fs_size_sec, max_fs_size_sec; 2763 fs_size_sec = get_fs_size(real_blkdev); 2764 if (fs_size_sec == 0) 2765 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev); 2766 2767 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 2768 2769 if (fs_size_sec > max_fs_size_sec) { 2770 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place."); 2771 goto error_unencrypted; 2772 } 2773 } 2774 2775 /* Get a wakelock as this may take a while, and we don't want the 2776 * device to sleep on us. We'll grab a partial wakelock, and if the UI 2777 * wants to keep the screen on, it can grab a full wakelock. 2778 */ 2779 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid()); 2780 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid); 2781 2782 /* The init files are setup to stop the class main and late start when 2783 * vold sets trigger_shutdown_framework. 2784 */ 2785 property_set("vold.decrypt", "trigger_shutdown_framework"); 2786 SLOGD("Just asked init to shut down class main\n"); 2787 2788 /* Ask vold to unmount all devices that it manages */ 2789 if (vold_unmountAll()) { 2790 SLOGE("Failed to unmount all vold managed devices"); 2791 } 2792 2793 /* no_ui means we are being called from init, not settings. 2794 Now we always reboot from settings, so !no_ui means reboot 2795 */ 2796 if (!no_ui) { 2797 /* Try fallback, which is to reboot and try there */ 2798 onlyCreateHeader = true; 2799 FILE* breadcrumb = fopen(BREADCRUMB_FILE, "we"); 2800 if (breadcrumb == 0) { 2801 SLOGE("Failed to create breadcrumb file"); 2802 goto error_shutting_down; 2803 } 2804 fclose(breadcrumb); 2805 } 2806 2807 /* Do extra work for a better UX when doing the long inplace encryption */ 2808 if (how == CRYPTO_ENABLE_INPLACE && !onlyCreateHeader) { 2809 /* Now that /data is unmounted, we need to mount a tmpfs 2810 * /data, set a property saying we're doing inplace encryption, 2811 * and restart the framework. 2812 */ 2813 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 2814 goto error_shutting_down; 2815 } 2816 /* Tells the framework that inplace encryption is starting */ 2817 property_set("vold.encrypt_progress", "0"); 2818 2819 /* restart the framework. */ 2820 /* Create necessary paths on /data */ 2821 if (prep_data_fs()) { 2822 goto error_shutting_down; 2823 } 2824 2825 /* Ugh, shutting down the framework is not synchronous, so until it 2826 * can be fixed, this horrible hack will wait a moment for it all to 2827 * shut down before proceeding. Without it, some devices cannot 2828 * restart the graphics services. 2829 */ 2830 sleep(2); 2831 } 2832 2833 /* Start the actual work of making an encrypted filesystem */ 2834 /* Initialize a crypt_mnt_ftr for the partition */ 2835 if (previously_encrypted_upto == 0 && !rebootEncryption) { 2836 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) { 2837 goto error_shutting_down; 2838 } 2839 2840 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 2841 crypt_ftr.fs_size = nr_sec 2842 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 2843 } else { 2844 crypt_ftr.fs_size = nr_sec; 2845 } 2846 /* At this point, we are in an inconsistent state. Until we successfully 2847 complete encryption, a reboot will leave us broken. So mark the 2848 encryption failed in case that happens. 2849 On successfully completing encryption, remove this flag */ 2850 if (onlyCreateHeader) { 2851 crypt_ftr.flags |= CRYPT_FORCE_ENCRYPTION; 2852 } else { 2853 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 2854 } 2855 crypt_ftr.crypt_type = crypt_type; 2856 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256", MAX_CRYPTO_TYPE_NAME_LEN); 2857 2858 /* Make an encrypted master key */ 2859 if (create_encrypted_random_key(onlyCreateHeader ? DEFAULT_PASSWORD : passwd, 2860 crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) { 2861 SLOGE("Cannot create encrypted master key\n"); 2862 goto error_shutting_down; 2863 } 2864 2865 /* Replace scrypted intermediate key if we are preparing for a reboot */ 2866 if (onlyCreateHeader) { 2867 unsigned char fake_master_key[KEY_LEN_BYTES]; 2868 unsigned char encrypted_fake_master_key[KEY_LEN_BYTES]; 2869 memset(fake_master_key, 0, sizeof(fake_master_key)); 2870 encrypt_master_key(passwd, crypt_ftr.salt, fake_master_key, 2871 encrypted_fake_master_key, &crypt_ftr); 2872 } 2873 2874 /* Write the key to the end of the partition */ 2875 put_crypt_ftr_and_key(&crypt_ftr); 2876 2877 /* If any persistent data has been remembered, save it. 2878 * If none, create a valid empty table and save that. 2879 */ 2880 if (!persist_data) { 2881 pdata = (crypt_persist_data *)malloc(CRYPT_PERSIST_DATA_SIZE); 2882 if (pdata) { 2883 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 2884 persist_data = pdata; 2885 } 2886 } 2887 if (persist_data) { 2888 save_persistent_data(); 2889 } 2890 } 2891 2892 if (onlyCreateHeader) { 2893 sleep(2); 2894 cryptfs_reboot(reboot); 2895 } 2896 2897 if (how == CRYPTO_ENABLE_INPLACE && (!no_ui || rebootEncryption)) { 2898 /* startup service classes main and late_start */ 2899 property_set("vold.decrypt", "trigger_restart_min_framework"); 2900 SLOGD("Just triggered restart_min_framework\n"); 2901 2902 /* OK, the framework is restarted and will soon be showing a 2903 * progress bar. Time to setup an encrypted mapping, and 2904 * either write a new filesystem, or encrypt in place updating 2905 * the progress bar as we work. 2906 */ 2907 } 2908 2909 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 2910 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev, 2911 CRYPTO_BLOCK_DEVICE); 2912 2913 /* If we are continuing, check checksums match */ 2914 rc = 0; 2915 if (previously_encrypted_upto) { 2916 __le8 hash_first_block[SHA256_DIGEST_LENGTH]; 2917 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block); 2918 2919 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block, 2920 sizeof(hash_first_block)) != 0) { 2921 SLOGE("Checksums do not match - trigger wipe"); 2922 rc = -1; 2923 } 2924 } 2925 2926 if (!rc) { 2927 rc = cryptfs_enable_all_volumes(&crypt_ftr, how, 2928 crypto_blkdev, real_blkdev, 2929 previously_encrypted_upto); 2930 } 2931 2932 /* Calculate checksum if we are not finished */ 2933 if (!rc && how == CRYPTO_ENABLE_INPLACE 2934 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 2935 rc = cryptfs_SHA256_fileblock(crypto_blkdev, 2936 crypt_ftr.hash_first_block); 2937 if (rc) { 2938 SLOGE("Error calculating checksum for continuing encryption"); 2939 rc = -1; 2940 } 2941 } 2942 2943 /* Undo the dm-crypt mapping whether we succeed or not */ 2944 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE); 2945 2946 if (! rc) { 2947 /* Success */ 2948 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE; 2949 2950 if (how == CRYPTO_ENABLE_INPLACE 2951 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 2952 SLOGD("Encrypted up to sector %lld - will continue after reboot", 2953 crypt_ftr.encrypted_upto); 2954 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS; 2955 } 2956 2957 put_crypt_ftr_and_key(&crypt_ftr); 2958 2959 if (how == CRYPTO_ENABLE_WIPE 2960 || crypt_ftr.encrypted_upto == crypt_ftr.fs_size) { 2961 char value[PROPERTY_VALUE_MAX]; 2962 property_get("ro.crypto.state", value, ""); 2963 if (!strcmp(value, "")) { 2964 /* default encryption - continue first boot sequence */ 2965 property_set("ro.crypto.state", "encrypted"); 2966 property_set("ro.crypto.type", "block"); 2967 release_wake_lock(lockid); 2968 if (rebootEncryption && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) { 2969 // Bring up cryptkeeper that will check the password and set it 2970 property_set("vold.decrypt", "trigger_shutdown_framework"); 2971 sleep(2); 2972 property_set("vold.encrypt_progress", ""); 2973 cryptfs_trigger_restart_min_framework(); 2974 } else { 2975 cryptfs_check_passwd(DEFAULT_PASSWORD); 2976 cryptfs_restart_internal(1); 2977 } 2978 return 0; 2979 } else { 2980 sleep(2); /* Give the UI a chance to show 100% progress */ 2981 cryptfs_reboot(reboot); 2982 } 2983 } else { 2984 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */ 2985 cryptfs_reboot(shutdown); 2986 } 2987 } else { 2988 char value[PROPERTY_VALUE_MAX]; 2989 2990 property_get("ro.vold.wipe_on_crypt_fail", value, "0"); 2991 if (!strcmp(value, "1")) { 2992 /* wipe data if encryption failed */ 2993 SLOGE("encryption failed - rebooting into recovery to wipe data\n"); 2994 std::string err; 2995 const std::vector<std::string> options = { 2996 "--wipe_data\n--reason=cryptfs_enable_internal\n" 2997 }; 2998 if (!write_bootloader_message(options, &err)) { 2999 SLOGE("could not write bootloader message: %s", err.c_str()); 3000 } 3001 cryptfs_reboot(recovery); 3002 } else { 3003 /* set property to trigger dialog */ 3004 property_set("vold.encrypt_progress", "error_partially_encrypted"); 3005 release_wake_lock(lockid); 3006 } 3007 return -1; 3008 } 3009 3010 /* hrm, the encrypt step claims success, but the reboot failed. 3011 * This should not happen. 3012 * Set the property and return. Hope the framework can deal with it. 3013 */ 3014 property_set("vold.encrypt_progress", "error_reboot_failed"); 3015 release_wake_lock(lockid); 3016 return rc; 3017 3018 error_unencrypted: 3019 property_set("vold.encrypt_progress", "error_not_encrypted"); 3020 if (lockid[0]) { 3021 release_wake_lock(lockid); 3022 } 3023 return -1; 3024 3025 error_shutting_down: 3026 /* we failed, and have not encrypted anthing, so the users's data is still intact, 3027 * but the framework is stopped and not restarted to show the error, so it's up to 3028 * vold to restart the system. 3029 */ 3030 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system"); 3031 cryptfs_reboot(reboot); 3032 3033 /* shouldn't get here */ 3034 property_set("vold.encrypt_progress", "error_shutting_down"); 3035 if (lockid[0]) { 3036 release_wake_lock(lockid); 3037 } 3038 return -1; 3039 } 3040 3041 int cryptfs_enable(char *howarg, int type, char *passwd, int no_ui) 3042 { 3043 return cryptfs_enable_internal(howarg, type, passwd, no_ui); 3044 } 3045 3046 int cryptfs_enable_default(char *howarg, int no_ui) 3047 { 3048 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT, 3049 DEFAULT_PASSWORD, no_ui); 3050 } 3051 3052 int cryptfs_changepw(int crypt_type, const char *newpw) 3053 { 3054 if (e4crypt_is_native()) { 3055 SLOGE("cryptfs_changepw not valid for file encryption"); 3056 return -1; 3057 } 3058 3059 struct crypt_mnt_ftr crypt_ftr; 3060 int rc; 3061 3062 /* This is only allowed after we've successfully decrypted the master key */ 3063 if (!master_key_saved) { 3064 SLOGE("Key not saved, aborting"); 3065 return -1; 3066 } 3067 3068 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3069 SLOGE("Invalid crypt_type %d", crypt_type); 3070 return -1; 3071 } 3072 3073 /* get key */ 3074 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3075 SLOGE("Error getting crypt footer and key"); 3076 return -1; 3077 } 3078 3079 crypt_ftr.crypt_type = crypt_type; 3080 3081 rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD 3082 : newpw, 3083 crypt_ftr.salt, 3084 saved_master_key, 3085 crypt_ftr.master_key, 3086 &crypt_ftr); 3087 if (rc) { 3088 SLOGE("Encrypt master key failed: %d", rc); 3089 return -1; 3090 } 3091 /* save the key */ 3092 put_crypt_ftr_and_key(&crypt_ftr); 3093 3094 return 0; 3095 } 3096 3097 static unsigned int persist_get_max_entries(int encrypted) { 3098 struct crypt_mnt_ftr crypt_ftr; 3099 unsigned int dsize; 3100 unsigned int max_persistent_entries; 3101 3102 /* If encrypted, use the values from the crypt_ftr, otherwise 3103 * use the values for the current spec. 3104 */ 3105 if (encrypted) { 3106 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3107 return -1; 3108 } 3109 dsize = crypt_ftr.persist_data_size; 3110 } else { 3111 dsize = CRYPT_PERSIST_DATA_SIZE; 3112 } 3113 3114 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) / 3115 sizeof(struct crypt_persist_entry); 3116 3117 return max_persistent_entries; 3118 } 3119 3120 static int persist_get_key(const char *fieldname, char *value) 3121 { 3122 unsigned int i; 3123 3124 if (persist_data == NULL) { 3125 return -1; 3126 } 3127 for (i = 0; i < persist_data->persist_valid_entries; i++) { 3128 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3129 /* We found it! */ 3130 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX); 3131 return 0; 3132 } 3133 } 3134 3135 return -1; 3136 } 3137 3138 static int persist_set_key(const char *fieldname, const char *value, int encrypted) 3139 { 3140 unsigned int i; 3141 unsigned int num; 3142 unsigned int max_persistent_entries; 3143 3144 if (persist_data == NULL) { 3145 return -1; 3146 } 3147 3148 max_persistent_entries = persist_get_max_entries(encrypted); 3149 3150 num = persist_data->persist_valid_entries; 3151 3152 for (i = 0; i < num; i++) { 3153 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3154 /* We found an existing entry, update it! */ 3155 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX); 3156 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX); 3157 return 0; 3158 } 3159 } 3160 3161 /* We didn't find it, add it to the end, if there is room */ 3162 if (persist_data->persist_valid_entries < max_persistent_entries) { 3163 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry)); 3164 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX); 3165 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX); 3166 persist_data->persist_valid_entries++; 3167 return 0; 3168 } 3169 3170 return -1; 3171 } 3172 3173 /** 3174 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the 3175 * sequence and its index is greater than or equal to index. Return 0 otherwise. 3176 */ 3177 static int match_multi_entry(const char *key, const char *field, unsigned index) { 3178 unsigned int field_len; 3179 unsigned int key_index; 3180 field_len = strlen(field); 3181 3182 if (index == 0) { 3183 // The first key in a multi-entry field is just the filedname itself. 3184 if (!strcmp(key, field)) { 3185 return 1; 3186 } 3187 } 3188 // Match key against "%s_%d" % (field, index) 3189 if (strlen(key) < field_len + 1 + 1) { 3190 // Need at least a '_' and a digit. 3191 return 0; 3192 } 3193 if (strncmp(key, field, field_len)) { 3194 // If the key does not begin with field, it's not a match. 3195 return 0; 3196 } 3197 if (1 != sscanf(&key[field_len],"_%d", &key_index)) { 3198 return 0; 3199 } 3200 return key_index >= index; 3201 } 3202 3203 /* 3204 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all 3205 * remaining entries starting from index will be deleted. 3206 * returns PERSIST_DEL_KEY_OK if deletion succeeds, 3207 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist, 3208 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs. 3209 * 3210 */ 3211 static int persist_del_keys(const char *fieldname, unsigned index) 3212 { 3213 unsigned int i; 3214 unsigned int j; 3215 unsigned int num; 3216 3217 if (persist_data == NULL) { 3218 return PERSIST_DEL_KEY_ERROR_OTHER; 3219 } 3220 3221 num = persist_data->persist_valid_entries; 3222 3223 j = 0; // points to the end of non-deleted entries. 3224 // Filter out to-be-deleted entries in place. 3225 for (i = 0; i < num; i++) { 3226 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) { 3227 persist_data->persist_entry[j] = persist_data->persist_entry[i]; 3228 j++; 3229 } 3230 } 3231 3232 if (j < num) { 3233 persist_data->persist_valid_entries = j; 3234 // Zeroise the remaining entries 3235 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry)); 3236 return PERSIST_DEL_KEY_OK; 3237 } else { 3238 // Did not find an entry matching the given fieldname 3239 return PERSIST_DEL_KEY_ERROR_NO_FIELD; 3240 } 3241 } 3242 3243 static int persist_count_keys(const char *fieldname) 3244 { 3245 unsigned int i; 3246 unsigned int count; 3247 3248 if (persist_data == NULL) { 3249 return -1; 3250 } 3251 3252 count = 0; 3253 for (i = 0; i < persist_data->persist_valid_entries; i++) { 3254 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) { 3255 count++; 3256 } 3257 } 3258 3259 return count; 3260 } 3261 3262 /* Return the value of the specified field. */ 3263 int cryptfs_getfield(const char *fieldname, char *value, int len) 3264 { 3265 if (e4crypt_is_native()) { 3266 SLOGE("Cannot get field when file encrypted"); 3267 return -1; 3268 } 3269 3270 char temp_value[PROPERTY_VALUE_MAX]; 3271 /* CRYPTO_GETFIELD_OK is success, 3272 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set, 3273 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small, 3274 * CRYPTO_GETFIELD_ERROR_OTHER is any other error 3275 */ 3276 int rc = CRYPTO_GETFIELD_ERROR_OTHER; 3277 int i; 3278 char temp_field[PROPERTY_KEY_MAX]; 3279 3280 if (persist_data == NULL) { 3281 load_persistent_data(); 3282 if (persist_data == NULL) { 3283 SLOGE("Getfield error, cannot load persistent data"); 3284 goto out; 3285 } 3286 } 3287 3288 // Read value from persistent entries. If the original value is split into multiple entries, 3289 // stitch them back together. 3290 if (!persist_get_key(fieldname, temp_value)) { 3291 // We found it, copy it to the caller's buffer and keep going until all entries are read. 3292 if (strlcpy(value, temp_value, len) >= (unsigned) len) { 3293 // value too small 3294 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL; 3295 goto out; 3296 } 3297 rc = CRYPTO_GETFIELD_OK; 3298 3299 for (i = 1; /* break explicitly */; i++) { 3300 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >= 3301 (int) sizeof(temp_field)) { 3302 // If the fieldname is very long, we stop as soon as it begins to overflow the 3303 // maximum field length. At this point we have in fact fully read out the original 3304 // value because cryptfs_setfield would not allow fields with longer names to be 3305 // written in the first place. 3306 break; 3307 } 3308 if (!persist_get_key(temp_field, temp_value)) { 3309 if (strlcat(value, temp_value, len) >= (unsigned)len) { 3310 // value too small. 3311 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL; 3312 goto out; 3313 } 3314 } else { 3315 // Exhaust all entries. 3316 break; 3317 } 3318 } 3319 } else { 3320 /* Sadness, it's not there. Return the error */ 3321 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD; 3322 } 3323 3324 out: 3325 return rc; 3326 } 3327 3328 /* Set the value of the specified field. */ 3329 int cryptfs_setfield(const char *fieldname, const char *value) 3330 { 3331 if (e4crypt_is_native()) { 3332 SLOGE("Cannot set field when file encrypted"); 3333 return -1; 3334 } 3335 3336 char encrypted_state[PROPERTY_VALUE_MAX]; 3337 /* 0 is success, negative values are error */ 3338 int rc = CRYPTO_SETFIELD_ERROR_OTHER; 3339 int encrypted = 0; 3340 unsigned int field_id; 3341 char temp_field[PROPERTY_KEY_MAX]; 3342 unsigned int num_entries; 3343 unsigned int max_keylen; 3344 3345 if (persist_data == NULL) { 3346 load_persistent_data(); 3347 if (persist_data == NULL) { 3348 SLOGE("Setfield error, cannot load persistent data"); 3349 goto out; 3350 } 3351 } 3352 3353 property_get("ro.crypto.state", encrypted_state, ""); 3354 if (!strcmp(encrypted_state, "encrypted") ) { 3355 encrypted = 1; 3356 } 3357 3358 // Compute the number of entries required to store value, each entry can store up to 3359 // (PROPERTY_VALUE_MAX - 1) chars 3360 if (strlen(value) == 0) { 3361 // Empty value also needs one entry to store. 3362 num_entries = 1; 3363 } else { 3364 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1); 3365 } 3366 3367 max_keylen = strlen(fieldname); 3368 if (num_entries > 1) { 3369 // Need an extra "_%d" suffix. 3370 max_keylen += 1 + log10(num_entries); 3371 } 3372 if (max_keylen > PROPERTY_KEY_MAX - 1) { 3373 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG; 3374 goto out; 3375 } 3376 3377 // Make sure we have enough space to write the new value 3378 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) > 3379 persist_get_max_entries(encrypted)) { 3380 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG; 3381 goto out; 3382 } 3383 3384 // Now that we know persist_data has enough space for value, let's delete the old field first 3385 // to make up space. 3386 persist_del_keys(fieldname, 0); 3387 3388 if (persist_set_key(fieldname, value, encrypted)) { 3389 // fail to set key, should not happen as we have already checked the available space 3390 SLOGE("persist_set_key() error during setfield()"); 3391 goto out; 3392 } 3393 3394 for (field_id = 1; field_id < num_entries; field_id++) { 3395 snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, field_id); 3396 3397 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) { 3398 // fail to set key, should not happen as we have already checked the available space. 3399 SLOGE("persist_set_key() error during setfield()"); 3400 goto out; 3401 } 3402 } 3403 3404 /* If we are running encrypted, save the persistent data now */ 3405 if (encrypted) { 3406 if (save_persistent_data()) { 3407 SLOGE("Setfield error, cannot save persistent data"); 3408 goto out; 3409 } 3410 } 3411 3412 rc = CRYPTO_SETFIELD_OK; 3413 3414 out: 3415 return rc; 3416 } 3417 3418 /* Checks userdata. Attempt to mount the volume if default- 3419 * encrypted. 3420 * On success trigger next init phase and return 0. 3421 * Currently do not handle failure - see TODO below. 3422 */ 3423 int cryptfs_mount_default_encrypted(void) 3424 { 3425 int crypt_type = cryptfs_get_password_type(); 3426 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3427 SLOGE("Bad crypt type - error"); 3428 } else if (crypt_type != CRYPT_TYPE_DEFAULT) { 3429 SLOGD("Password is not default - " 3430 "starting min framework to prompt"); 3431 property_set("vold.decrypt", "trigger_restart_min_framework"); 3432 return 0; 3433 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) { 3434 SLOGD("Password is default - restarting filesystem"); 3435 cryptfs_restart_internal(0); 3436 return 0; 3437 } else { 3438 SLOGE("Encrypted, default crypt type but can't decrypt"); 3439 } 3440 3441 /** Corrupt. Allow us to boot into framework, which will detect bad 3442 crypto when it calls do_crypto_complete, then do a factory reset 3443 */ 3444 property_set("vold.decrypt", "trigger_restart_min_framework"); 3445 return 0; 3446 } 3447 3448 /* Returns type of the password, default, pattern, pin or password. 3449 */ 3450 int cryptfs_get_password_type(void) 3451 { 3452 if (e4crypt_is_native()) { 3453 SLOGE("cryptfs_get_password_type not valid for file encryption"); 3454 return -1; 3455 } 3456 3457 struct crypt_mnt_ftr crypt_ftr; 3458 3459 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3460 SLOGE("Error getting crypt footer and key\n"); 3461 return -1; 3462 } 3463 3464 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) { 3465 return -1; 3466 } 3467 3468 return crypt_ftr.crypt_type; 3469 } 3470 3471 const char* cryptfs_get_password() 3472 { 3473 if (e4crypt_is_native()) { 3474 SLOGE("cryptfs_get_password not valid for file encryption"); 3475 return 0; 3476 } 3477 3478 struct timespec now; 3479 clock_gettime(CLOCK_BOOTTIME, &now); 3480 if (now.tv_sec < password_expiry_time) { 3481 return password; 3482 } else { 3483 cryptfs_clear_password(); 3484 return 0; 3485 } 3486 } 3487 3488 void cryptfs_clear_password() 3489 { 3490 if (password) { 3491 size_t len = strlen(password); 3492 memset(password, 0, len); 3493 free(password); 3494 password = 0; 3495 password_expiry_time = 0; 3496 } 3497 } 3498 3499 int cryptfs_enable_file() 3500 { 3501 return e4crypt_initialize_global_de(); 3502 } 3503 3504 int cryptfs_isConvertibleToFBE() 3505 { 3506 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 3507 return fs_mgr_is_convertible_to_fbe(rec) ? 1 : 0; 3508 } 3509 3510 int cryptfs_create_default_ftr(struct crypt_mnt_ftr* crypt_ftr, __attribute__((unused))int key_length) 3511 { 3512 if (cryptfs_init_crypt_mnt_ftr(crypt_ftr)) { 3513 SLOGE("Failed to initialize crypt_ftr"); 3514 return -1; 3515 } 3516 3517 if (create_encrypted_random_key(DEFAULT_PASSWORD, crypt_ftr->master_key, 3518 crypt_ftr->salt, crypt_ftr)) { 3519 SLOGE("Cannot create encrypted master key\n"); 3520 return -1; 3521 } 3522 3523 //crypt_ftr->keysize = key_length / 8; 3524 return 0; 3525 } 3526 3527 int cryptfs_get_master_key(struct crypt_mnt_ftr* ftr, const char* password, 3528 unsigned char* master_key) 3529 { 3530 int rc; 3531 3532 unsigned char* intermediate_key = 0; 3533 size_t intermediate_key_size = 0; 3534 3535 if (password == 0 || *password == 0) { 3536 password = DEFAULT_PASSWORD; 3537 } 3538 3539 rc = decrypt_master_key(password, master_key, ftr, &intermediate_key, 3540 &intermediate_key_size); 3541 3542 if (rc) { 3543 SLOGE("Can't calculate intermediate key"); 3544 return rc; 3545 } 3546 3547 int N = 1 << ftr->N_factor; 3548 int r = 1 << ftr->r_factor; 3549 int p = 1 << ftr->p_factor; 3550 3551 unsigned char scrypted_intermediate_key[sizeof(ftr->scrypted_intermediate_key)]; 3552 3553 rc = crypto_scrypt(intermediate_key, intermediate_key_size, 3554 ftr->salt, sizeof(ftr->salt), N, r, p, 3555 scrypted_intermediate_key, 3556 sizeof(scrypted_intermediate_key)); 3557 3558 free(intermediate_key); 3559 3560 if (rc) { 3561 SLOGE("Can't scrypt intermediate key"); 3562 return rc; 3563 } 3564 3565 return memcmp(scrypted_intermediate_key, ftr->scrypted_intermediate_key, 3566 intermediate_key_size); 3567 } 3568 3569 int cryptfs_set_password(struct crypt_mnt_ftr* ftr, const char* password, 3570 const unsigned char* master_key) 3571 { 3572 return encrypt_master_key(password, ftr->salt, master_key, ftr->master_key, 3573 ftr); 3574 } 3575 3576 void cryptfs_get_file_encryption_modes(const char **contents_mode_ret, 3577 const char **filenames_mode_ret) 3578 { 3579 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 3580 fs_mgr_get_file_encryption_modes(rec, contents_mode_ret, filenames_mode_ret); 3581 } 3582
